โพสต์ถูกสร้างโดย NCSA_THAICERT

NCSA_THAICERT

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ด้านความมั่นคงปลอดภัยระดับร้ายแรงในแพลตฟอร์ม IBM API Connect หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถข้ามกระบวนการยืนยันตัวตนและเข้าถึงระบบหรือแอปพลิเคชันได้โดยไม่ได้รับอนุญาต ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่
• ช่องโหว่หมายเลข CVE-2025-13915 จัดอยู่ในประเภท Authentication Vulnerability
• ช่องโหว่นี้เกิดจากกลไกการยืนยันตัวตนของแพลตฟอร์ม IBM API Connect ที่ไม่เหมาะสม
• ผู้ไม่หวังดีอาจสามารถข้ามกระบวนการยืนยันตัวตน และเข้าถึงระบบหรือฟังก์ชันของแอปพลิเคชันได้โดยไม่ได้รับอนุญาต
• ส่งผลให้มีความเสี่ยงต่อการเข้าควบคุมระบบ การเข้าถึงข้อมูลสำคัญ หรือการดำเนินการที่เป็นอันตรายต่อระบบงานขององค์กร

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• IBM API Connect เวอร์ชัน 10.0.8.0 – 10.0.8.5
• IBM API Connect เวอร์ชัน 10.0.11.0

️ ThaiCERT แนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบเร่งดำเนินการตรวจสอบและแก้ไขโดยเร็ว

แนวทางการตรวจสอบและการป้องกัน

แนวทางการตรวจสอบ
• ตรวจสอบเวอร์ชันของ IBM API Connect ที่ใช้งานอยู่ ว่าอยู่ในช่วงเวอร์ชันที่ได้รับผลกระทบหรือไม่
• ตรวจสอบการตั้งค่าการยืนยันตัวตนและการเข้าถึงระบบ
• ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการเข้าถึงระบบและการใช้งาน API
แนวทางการป้องกัน
• ดำเนินการอัปเดต IBM API Connect เป็นเวอร์ชันที่มีการติดตั้ง iFix ล่าสุด ตามคำแนะนำของ IBM
• จำกัดสิทธิ์การเข้าถึงระบบและฟังก์ชันที่เกี่ยวข้องให้เฉพาะผู้ใช้งานที่จำเป็น
มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
• พิจารณา ปิดฟังก์ชัน self-service sign-up บน Developer Portal เป็นการชั่วคราว
• เพิ่มมาตรการควบคุมการเข้าถึงระบบ และเฝ้าระวังการใช้งานที่ผิดปกติ

แหล่งอ้างอิง
• https://nvd.nist.gov/vuln/detail/CVE-2025-13915
• https://www.ibm.com/support/pages/node/7255149

IBM API Connect V5.png

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#IBMAPIConnect #CVE202513915 #ThaiCERT #ThaiCyberSecurity#ช่องโหว่รุนแรง #AuthenticationBypass #APISecurity #อัปเดตด่วน

NCSA_THAICERT

New Tooling

Superagent: Open-Source Framework For Guardrails Around Agentic AI
"Superagent is an open-source framework for building, running, and controlling AI agents with safety built into the workflow. The project focuses on giving developers and security teams tools to manage what agents can do, what they can access, and how they behave during execution. Superagent targets environments where autonomous or semi autonomous agents interact with APIs, data sources, and external services."
https://www.helpnetsecurity.com/2025/12/29/superagent-framework-guardrails-agentic-ai/
https://github.com/superagent-ai/superagent

Malware

Shai Hulud Strikes Again - The Golden Path
"As of 30 minutes ago, we detected what we believe to be the first instance of a new strain of Shai Hulud, which was uploaded to npm in the package @vietmoney/react-big-calendar : https://www.npmjs.com/package/@vietmoney/react-big-calendar It contains a new and novel strain of Shai Hulud. At this time, there does NOT seem to be any major spread or infections. This suggests we may have caught the attackers testing their payload. The differences in the code suggests that this was obfuscated again from original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."
https://www.aikido.dev/blog/shai-hulud-strikes-again---the-golden-path
https://www.bankinfosecurity.com/researchers-spot-new-shai-hulud-variant-a-30409
The HoneyMyte APT Evolves With a Kernel-Mode Rootkit And a ToneShell Backdoor
"In mid-2025, we identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. Our analysis indicates that the final payload injected by the driver is a new sample of the ToneShell backdoor, which connects to the attacker’s servers and provides a reverse shell, along with other capabilities. The ToneShell backdoor is a tool known to be used exclusively by the HoneyMyte (aka Mustang Panda or Bronze President) APT actor and is often used in cyberespionage campaigns targeting government organizations, particularly in Southeast and East Asia."
https://securelist.com/honeymyte-kernel-mode-rootkit/118590/
https://www.bleepingcomputer.com/news/security/chinese-state-hackers-use-rootkit-to-hide-toneshell-malware-activity/
EmEditor Supply Chain Incident Details Disclosed: Distribution Of Information-Stealing Malware Sweeps Through Domestic Government And Enterprise Entities
"On December 23, 2025, the renowned document editor EmEditor officially released an announcement stating that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack. The MSI installation packages were replaced with malicious ones signed with a non-official signature "WALSHAM INVESTMENTS LIMITED":"
https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/
https://www.emeditor.com/general/important-security-incident-notice-regarding-the-emeditor-installer-download-link/
https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/

Breaches/Hacks/Leaks

Trust Wallet Says 2,596 Wallets Drained In $7 Million Crypto Theft Attack
"Trust Wallet says attackers who compromised its browser extension right before Christmas have drained approximately $7 million from nearly 3,000 cryptocurrency wallet addresses. The cryptocurrency wallet (used by over 200 million people according to its official website) allows users to store, send, receive, and manage Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens using a browser extension and free iOS and Android mobile apps. Trust Wallet launched in 2017 and was acquired by Binance, one of the world's largest cryptocurrency exchanges, the following year. Despite this, it still operates as a separate, decentralized wallet application."
https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/
Romanian Energy Provider Hit By Gentlemen Ransomware Attack
"A ransomware attack hit Oltenia Energy Complex (Complexul Energetic Oltenia), Romania's largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure. The 40-year-old Romanian energy provider employs over 19,000 people, operates four power plants with an installed production capacity of 3900 MWh, and provides about 30% of Romania's electricity. "As a result of the attack, some documents and files were encrypted, and several computer applications became temporarily unavailable, including ERP systems, document management applications, the company's email service, and website," it said over the weekend."
https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/
https://securityaffairs.com/186290/cyber-crime/romanias-oltenia-energy-complex-suffers-major-ransomware-attack.html
Korean Air Data Breach Exposes Data Of Thousands Of Employees
"Korean Air experienced a data breach affecting thousands of employees after Korean Air Catering & Duty-Free (KC&D), its in-flight catering supplier and former subsidiary, was recently hacked. Korea's flag carrier has over 20,000 employees, a fleet of over 160 aircraft, and has reported over $11 billion in revenue after carrying more than 23 million passengers in 2024. The airline issued an internal notice on Monday, disclosing a data breach after KC&D (which spun off as a separate in-flight meals and retail company in 2020) notified it that it had been recently hacked."
https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/
https://securityaffairs.com/186275/data-breach/korean-air-discloses-data-breach-after-the-hack-of-its-catering-and-duty-free-supplier.html
Two More Banks Notifying Thousands Of Victims About Marquis Software Ransomware Attack
"Two U.S. banks have come forward to warn customers they were impacted by an August ransomware attack on a popular financial software company. Artisans' Bank and VeraBank informed regulators in Maine last week that recent data breaches were sourced back to a cyberattack on Marquis Software. The software company previously said it suffered a ransomware attack around August 14 that affected dozens of its corporate customers and thousands of downstream users. VeraBank explained in letters to victims that Marquis Software is their “customer communication and data analysis vendor.”"
https://therecord.media/banks-marquis-software-ransomware

General News

Automation Forces a Reset In Security Strategy
"Enterprise security teams are working under the assumption that disruption is constant. A global study by Trellix shows that resilience has moved from a long term goal to a structural requirement for CISOs. Infrastructure design, operational integration, and the use of AI shape how organizations prepare for ongoing pressure from threats and regulation."
https://www.helpnetsecurity.com/2025/12/29/trellix-hybrid-security-infrastructure-report/
Hacker Arrested For KMSAuto Malware Campaign With 2.8 Million Downloads
"A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man was extradited from Georgia to South Korea following a related request under Interpol’s coordination. According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker - known as 'clipper malware'."
https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/
Former Coinbase Support Agent Arrested For Helping Hackers
"A former Coinbase customer service agent was arrested in India for helping hackers earlier this year steal sensitive customer information from a company database. The arrest occurred in Hyderabad, the capital of India's Telangana state and a major technology center in the country, and it is expected that more individuals will be detained, according to Coinbase CEO Brian Armstrong."
https://www.bleepingcomputer.com/news/security/former-coinbase-support-agent-arrested-for-helping-hackers/
https://www.theregister.com/2025/12/29/indian_cops_cuff_coinbase_exrep/
Cybersecurity Trends: What's In Store For Defenders In 2026?
"As the year comes to a close, what's notable over the past 12 months is how much hasn't fundamentally changed on the cyberattack front. Nation-state and cybercrime hackers are exploiting edge devices at scale. Chinese nation-state and affiliated private hackers enjoy deep access to Western critical infrastructure through networks often poorly protected due to outdated or poorly configured equipment and inadequate visibility."
https://www.bankinfosecurity.com/blogs/cybersecurity-trends-whats-in-store-for-defenders-in-2026-p-4009
Dark Reading Confidential: Stop Secrets Creep Across Developer Platforms
"And welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I'm Becky Bracken, your host. And today I am lucky to be joined by my colleague, Rob Wright, who has been Dark Reading's lead reporter on the topic we are taking on today, secrets creep. More particularly, sensitive enterprise information, which is being fed into software development platforms. Rob, is that a fair assessment?"
https://www.darkreading.com/cybersecurity-operations/stop-secrets-creep-across-developer-platforms
SBOMs In 2026: Some Love, Some Hate, Much Ambivalence
"A software bill of materials (SBOMs) has been touted as a critical tool in solving software supply-chain security issues, but the rapid change of software ecosystems and the complexity of creating an end-to-end verified chain of code continue to foil widespread adoption. Docker, for example, has fully embraced the software ingredient lists in their Docker Hardened Images, the company's minimal, security-focused recipes for building secure software containers. The images are built from the ground up to minimize unnecessary software components — also known as artifacts — and sport complete SBOMs and proof of provenance using Level 3 of the Supply-chain Levels for Software Artifacts (SLSA), a way to digitally ensure build integrity and provide verification of software sources."
https://www.darkreading.com/application-security/sboms-in-2026-some-love-some-hate-much-ambivalence
5 Threats That Defined Security In 2025
"2025 marked yet another busy year in security, between big attacks, government shakeups, and dangerous flaws that echo of the past. The moments that defined this year were impactful but felt evenly spread across the year. Early in 2025, we saw China-nexus advanced persistent threat (APT) Salt Typhoon continue its assault against telecom companies as part of its espionage operations. In the summer and into the fall, we saw the Cybersecurity and Infrastructure Security Agency (CISA) face budgetary cuts and layoffs, fallout from President Trump's commitment to slim the US government at any cost. And just this past month, React2Shell was disclosed to the public — a vulnerability in React with a CVSS score of 10 that echoed of the now-infamous Log4Shell."
https://www.darkreading.com/vulnerabilities-threats/five-threats-that-defined-security-2025
LLMs Are Automating The Human Part Of Romance Scams
"Romance scams succeed because they feel human. New research shows that feeling no longer requires a person on the other side of the chat. Romance baiting scams build emotional bonds over weeks before steering victims toward fake cryptocurrency investments. A recent study shows that most of this work consists of repeatable text exchanges that are already being augmented with language models."
https://www.helpnetsecurity.com/2025/12/29/llms-romance-baiting-scams-study/
https://arxiv.org/pdf/2512.16280
Malware In 2025 Spread Far Beyond Windows PCs
"This blog is part of a series highlighting new and concerning trends we noticed over the last year. Trends matter because they almost always provide a good indication of what’s coming next. If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows alone. We’ve seen some major developments, especially in campaigns targeting Android and macOS. Unfortunately, many people still don’t realize that protecting smartphones, tablets, and other connected devices is just as essential as securing their laptops."
https://www.malwarebytes.com/blog/news/2025/12/malware-in-2025-spread-beyond-windows-pcs
Survey: Security Spending To Increase Sharply In 2026
"The good news for cybersecurity teams heading into 2026 is that despite a lot of economic uncertainty, cybersecurity budgets are expected to rise. A survey of 310 C-suite security leaders at U.S. organizations with at least $1 billion in revenue finds nearly all (99%) lead organizations that plan to increase cybersecurity budgets in the next few years, with well over half (54%) planning for significant increases of 6% to 10% as they brace for future threats."
https://blog.barracuda.com/2025/12/29/survey--security-spending-to-increase-sharply-in-2026
Traditional Security Frameworks Leave Organizations Exposed To AI-Specific Attack Vectors
"In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI systems in 2024 alone, a 25% increase from the previous year."
https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบการอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว์ในซอฟต์แวร์ SmarterMail
หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถเรียกใช้งานคำสั่งบนระบบจากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่:
SmarterTools ตรวจพบช่องโหว่ความรุนแรงระดับ Critical ในซอฟต์แวร์ SmarterMail
ช่องโหว่นี้เปิดโอกาสให้ผู้โจมตีที่ ยังไม่ได้ยืนยันตัวตน (Unauthenticated) สามารถอัปโหลดไฟล์ไปยังตำแหน่งใดก็ได้บน Mail Server หากถูกโจมตีสำเร็จ อาจนำไปสู่ Remote Code Execution (RCE) และการควบคุมระบบ Mail Server ได้ทั้งหมด ระบบที่เปิด SmarterMail ให้เข้าถึงจาก Internet มีความเสี่ยงสูงมาก ต้องอัปเดตทันที

ภาพรวมของช่องโหว่ (Overview)

ช่องโหว่ที่เกี่ยวข้อง: CVE-2025-52691 ระดับความรุนแรง: Critical (CVSS 3.1 = 10.0)
ลักษณะช่องโหว่: ช่องโหว่ประเภท Unauthenticated Arbitrary File Upload ระบบไม่จำกัดตำแหน่งและชนิดของไฟล์ที่อัปโหลด ผู้โจมตีไม่จำเป็นต้องมีบัญชีผู้ใช้หรือรหัสผ่าน
ผู้โจมตีสามารถอัปโหลดไฟล์อันตรายไปยัง Server ได้ อาจนำไปสู่การรันโค้ดจากระยะไกล (Remote Code Execution)
ผลิตภัณฑ์ที่ได้รับผลกระทบ: SmarterTools SmarterMail

ผลกระทบ️ หากช่องโหว่นี้ถูกโจมตีสำเร็จ อาจส่งผลดังนี้:

อัปโหลดไฟล์อันตรายไปยัง Server ได้ทันที
รันโค้ดจากระยะไกล (Remote Code Execution)
เข้าควบคุม Mail Server โดยไม่ได้รับอนุญาต
เข้าถึงข้อมูลอีเมลภายในองค์กร
ใช้ Mail Server เป็นฐานโจมตีระบบอื่น (Pivot / Lateral Movement)

เวอร์ชันที่ได้รับผลกระทบ (Affected Versions): SmarterMail Build 9406 และเวอร์ชันก่อนหน้า

แนวทางแก้ไข (Mitigation – Recommended) SmarterTools แนะนำให้ผู้ดูแลระบบดำเนินการดังนี้:

อัปเกรด SmarterMail เป็น Build 9413 หรือใหม่กว่าทันที
ตรวจสอบว่าการอัปเดตเสร็จสมบูรณ์และรีสตาร์ทบริการเรียบร้อย
ตรวจสอบไฟล์ที่ถูกอัปโหลดผิดปกติก่อนหน้า (Retroactive Check)

แนวทางแก้ไขชั่วคราว: ไม่มี Workaround ที่ปลอดภัยเพียงพอ หากยังไม่สามารถอัปเดตได้ในทันที ควรดำเนินการเพื่อลดความเสี่ยงดังนี้

จำกัดการเข้าถึง SmarterMail จาก Internet
อนุญาตให้เข้าถึงเฉพาะ IP ที่จำเป็น
ปิดการเข้าถึงผ่าน Web Interface หากไม่จำเป็น
หมายเหตุ: เป็นเพียงการลดความเสี่ยง ไม่ใช่การแก้ไขถาวร

คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)

ตรวจสอบ Log: Web access logs, File upload activity, Error logs ที่ผิดปกติ
ตรวจสอบไฟล์ใหม่ที่ถูกสร้างใน Directory ของ Web / Mail service
สำรองข้อมูล (Backup) ก่อนและหลังการอัปเดต
แยก SmarterMail ออกจากระบบ Critical อื่น (Network Segmentation)
ใช้ Web Application Firewall (WAF) หากเป็นไปได้

แหล่งอ้างอิง (References)

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#SmarterMail #CVE202552691 #ThaiCERT #ThaiCyberSecurity #ช่องโหว่รุนแรง #RCE #MailServerSecurity #อัปเดตด่วน

NCSA_THAICERT

ผู้ใช้ EmEditor เสี่ยงถูกขโมยข้อมูล หลังปุ่ม Download.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

การรั่วไหลข้อมูล LastPass ในปี 2022 ยังคงถูกนำไปใช.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

แฮกเกอร์ปล่อยฐานข้อมูล WIRED 2.3 ล้านรายการ พร้.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Vulnerabilities

All I Want For Christmas Is Your Secrets: LangGrinch Hits LangChain Core (CVE-2025-68664)
"Earlier this year, my research focused on breaking secret managers in our “Vault Fault” work – systems that are explicitly designed to be the security boundary around your most sensitive credentials. One takeaway kept repeating: when a platform accidentally treats attacker-shaped data as trusted structure, that boundary collapses fast. This time, the system that “breaks” isn’t your secret manager. It’s the agent framework that may use them."
https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/
https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html
https://securityaffairs.com/186185/hacking/langchain-core-vulnerability-allows-prompt-injection-and-data-exposure.html
CVE-2025-54322 (ZERODAY) - Unauthenticated Root RCE Affecting ~70,000+ Hosts
"Xspeeder is a Chinese networking vendor known for edge devices like routers, SD-WAN appliances, and smart TV controllers. Their core firmware, SXZOS, powers a line of SD-WAN devices that are especially prevalent across remote industrial and branch environments. According to Fofa and other more advanced fingerprinting services, there are tens of thousands of publicly accessible SXZOS-based systems globally in various geographic regions, making this firmware and any potential vulnerability it exposes, a widespread risk surface. This was one of the devices that made it into our office over a 8 month ago for research purposes."
https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

Malware

Exploited MongoBleed Flaw Leaks MongoDB Secrets, 87K Servers Exposed
"A severe vulnerability affecting multiple MongoDB versions, dubbed MongoBleed (CVE-2025-14847), is being actively exploited in the wild, with over 80,000 potentially vulnerable servers exposed on the public web. A public exploit and accompanying technical details are available, showing how attackers can trigger the flaw to remotely extract secrets, credentials, and other sensitive data from an exposed MongoDB server. The vulnerability was assigned a severity score of 8.7 and has been handled as a “critical fix,” with a patch available for self-hosting instances since December 19."
https://www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/
Fake GrubHub Emails Promise Tenfold Return On Sent Cryptocurrency
"Grubhub users received fraudulent messages, apparently from a company email address, promising a tenfold bitcoin payout in return for a transfer to a specified wallet. The emails claimed to be part of a ‘Holiday Crypto Promotion’ and came from an email address on ‘b.grubhub.com’, which is a legitimate subdomain that Grubhub uses to communicate with its merchant partners and restaurants."
https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/
Trust Wallet Confirms Extension Hack Led To $7 Million Crypto Theft
"Trust Wallet confirmed that a compromised Chrome extension update released on December 24 led to $7 million in stolen cryptocurrency after users reported their wallets drained. "So far, $7m affected by this hack. TrustWallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused," posted Binance founder Changpeng "CZ" Zhao on X. "The team is still investigating how hackers were able to submit a new version.""
https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/
https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html
https://securityaffairs.com/186163/cyber-crime/trust-wallet-warns-users-to-update-chrome-extension-after-7m-security-loss.html

Breaches/Hacks/Leaks

Everest Ransomware Group Claims Theft Of Over 1TB Of Chrysler Data
"On December 25, while much of the world was observing Christmas, the Everest ransomware group published a new post on its dark web leak site claiming it had breached Chrysler systems, an American automaker. The group says it exfiltrated 1088 GB (over 1 TB) of data, describing it as a full database linked to Chrysler operations. According to the threat actors, the stolen data spans from 2021 through 2025 and includes more than 105 GB of Salesforce related information. Everest claims the data contains extensive personal and operational records tied to customers, dealers, and internal agents."
https://hackread.com/everest-ransomware-group-chrysler-data-breach/
Hacker Leaks 2.3M Wired.com Records, Claims 40M-User Condé Nast Breach
"A hacker using the alias “Lovely” has leaked what they claim is the personal data of over 2.3 million Wired.com users, a prominent American magazine and website. The leak was posted on December 20, 2025, on a newly launched hacking forum called Breach Stars. Along with a download link and file hash, the hacker issued a statement accusing Condé Nast, Wired’s parent company, of ignoring repeated warnings:"
https://hackread.com/hacker-leak-wired-com-records-conde-nast-breach/
https://databreaches.net/2025/12/25/conde-nast-gets-hacked-and-databreaches-gets-played-christmas-lump-of-coal-edition/
https://www.bleepingcomputer.com/news/security/hacker-claims-to-leak-wired-database-with-23-million-records/
https://securityaffairs.com/186224/data-breach/conde-nast-faces-major-data-breach-2-3m-wired-records-leaked-40m-more-at-risk.html
Massive Rainbow Six Siege Breach Gives Players Billions Of Credits
"Ubisoft's Rainbow Six Siege (R6) suffered a breach that allowed hackers to abuse internal systems to ban and unban players, manipulate in-game moderation feeds, and grant massive amounts of in-game currency and cosmetic items to accounts worldwide."
https://www.bleepingcomputer.com/news/security/massive-rainbow-six-siege-breach-gives-players-billions-of-credits/

General News

Mentorship And Diversity: Shaping The Next Generation Of Cyber Experts
"Welcome to Dark Reading's Heard It From a CISO video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In this latest installment, Dark Reading associate editor Kristina Beek interviews Patricia Voight, CISO at Webster Bank."
https://www.darkreading.com/cybersecurity-careers/mentorship-and-diversity-shaping-the-next-generation-of-cyber-experts
As More Coders Adopt AI Agents, Security Pitfalls Lurk In 2026
"Software may be eating the world — to paraphrase one tech luminary — but in 2025, AI ate software development. The vast majority of professional programmers now use large language models (LLMs) for code suggestions, debugging, and even vibe coding. Yet, challenges remain: Even as developers start to use AI agents to build applications and integrate AI services into the development and production pipeline, the quality of the code — especially the security of the code — varies significantly. Greenfield projects may see better productivity and security results than rewriting current code, especially if vulnerabilities in the older code are propagated. Some companies see few productivity gains, others see significant benefits."
https://www.darkreading.com/application-security/coders-adopt-ai-agents-security-pitfalls-lurk-2026
LLMs Can Assist With Vulnerability Scoring, But Context Still Matters
"Every new vulnerability disclosure adds another decision point for already stretched security teams. A recent study explores whether LLMs can take on part of that burden by scoring vulnerabilities at scale. While the results show promise in specific areas, consistent weaknesses continue to hold back fully automated scoring. More than 40,000 CVEs were published in 2024, and the study notes that this surge has put strain on programs that score these entries. Without timely severity ratings, teams cannot tell which risks to handle first."
https://www.helpnetsecurity.com/2025/12/26/llms-automated-vulnerability-assessment/
From AI To Cyber Risk, Why IT Leaders Are Anxious Heading Into 2026
"Cybersecurity threats are shaping IT planning for 2026, with AI maturity and regulation emerging as another major source of disruption, according to a global survey from Veeam. Veeam surveyed 250 senior IT and business decision-makers worldwide to understand how they view risks, readiness, and priorities. When respondents ranked expected disruptors for 2026, cybersecurity threats placed first. Nearly half selected security incidents as their top concern. AI maturity and regulation followed at just over 20%. Workforce shortages and cloud complexity ranked lower."
https://www.helpnetsecurity.com/2025/12/26/it-planning-cybersecurity-threats-2026/
The Next Big IT Security Battle Is All About Privileged Access
"Leostream predicts changes in Identity and Access Management (IAM) and Privileged Access Management (PAM) in 2026 driven by new realities of cybersecurity, hybridization, AI, and more. In 2026, passwordless authentication will shift from isolated pilots to full-scale enterprise adoption within privileged environments. Hardware keys, passkeys, and biometric verification will replace traditional credentials, reducing reliance on shared passwords and vaults. This transition will be driven by compliance mandates and the operational cost of credential sprawl."
https://www.helpnetsecurity.com/2025/12/26/it-privileged-access-security-trends/
From AI To Analog, Cybersecurity Tabletop Exercises Look a Little Different This Year
"It's the most wonderful time of the year … for corporate security bosses to run tabletop exercises, simulating a hypothetical cyberattack or other emergency, running through incident processes, and practicing responses to ensure preparedness if when a digital disaster occurs. "We're ultimately testing how resilient is the organization," said Palo Alto Networks Chief Security Intelligence Officer Wendi Whitmore in an interview with The Register. "It's not if we get attacked, it's: How quickly do we respond and contain these attacks.""
https://www.theregister.com/2025/12/26/end_of_year_tabletop_exercises/
From Video Games To Cyber Defense: If You Don't Think Like a Hacker, You Won't Win
"According to Remedio CEO Tal Kollender, the only way to beat the bad guys hacking into corporate networks is to "think like a hacker," and because not everyone is a teenage hacker turned cybersecurity startup chief executive, she built an AI to do this. "My thought was: if I have a hacker mindset, why not adapt it into defense," Kollender told The Register. "Because if you don't think like a hacker, you won't be able to beat them, right?""
https://www.theregister.com/2025/12/26/video_game_hacker_turned_ceo/
Death, Torture, And Amputation: How Cybercrime Shook The World In 2025
"The knock-on, and often unintentional, impacts of a cyberattack are so rarely discussed. As an industry, the focus is almost always placed on the economic damage: the ransom payment; the cost of business downtime; and goodness, don't forget those poor shareholders. But, in recent years, the toll on human life has become increasingly apparent."
https://www.theregister.com/2025/12/28/death_torture_and_amputation_how/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Africa, Q3 2025
"High threat detection rates point to low cybersecurity maturity across industrial companies on the continent: the availability of internet access on OT computers, weak phishing protection, large portions of unprotected infrastructure, and still relatively poor employee cyberhygiene. In Africa, the percentage of ICS computers on which all categories of threats were blocked is higher than the global average."
https://ics-cert.kaspersky.com/publications/reports/2025/12/25/threat-landscape-for-industrial-automation-systems-africa-q3-2025/

General News

TRM Traces Stolen Crypto From 2022 LastPass Breach — On-Chain Indicators Suggest Russian Cybercriminal Involvement
"In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of roughly 30 million customer vaults — encrypted containers holding users’ most sensitive digital credentials, including crypto private keys and seed phrases. Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. That created a long-tail risk for more than 25 million users globally: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time."
https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement
https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

แพ็กเกจ NPM “Lotusbail” ดักขโมยข้อมูลและยึดบัญชี What.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

พบช่องโหว่ร้ายแรงใน MongoDB อนุญาตให้ผู้โจมตี.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

กลุ่มแฮกเกอร์ APT ใช้เทคนิค DNS Poisoning ขั้นสูง เพื.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

รายละเอียดช่องโหว่:
• ช่องโหว่ CVE-2025-14847 เป็นช่องโหว่ความปลอดภัยใน MongoDB Server ซึ่งเป็นระบบฐานข้อมูลแบบ NoSQL Database (NoSQL) ช่องโหว่ดังกล่าวเกิดจากการจัดการฟิลด์ความยาวข้อมูลที่ไม่ถูกต้องในกระบวนการประมวลผลแพ็กเก็ตข้อมูลที่ถูกบีบอัดด้วย zlib ภายในโปรโตคอลเครือข่ายของ MongoDB ช่องโหว่นี้ผู้โจมตีสามารถส่งข้อมูลที่ถูกจัดรูปแบบผิดพลาด (malformed data) เข้ามายังระบบและทำให้เซิร์ฟเวอร์ตอบกลับด้วยข้อมูลจากหน่วยความจำแบบ heap ที่ยังไม่ได้ถูกกำหนดค่า (Uninitialized Memory) ซึ่งอาจนำไปสู่การรั่วไหลของข้อมูลภายในระบบได้ และผู้โจมตีสามารถโจมตีได้โดยไม่ผ่านการยืนยันตัวตน

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ:
• MongoDB 8.2.0 ถึง 8.2.2, 8.0.0 ถึง 8.0.16, 7.0.0 ถึง 7.0.27, 6.0.0 ถึง 6.0.26, 5.0.0 ถึง 5.0.31 และ 4.4.0 ถึง 4.4.29

แนวทางการตรวจสอบและการป้องกัน:

แนวทางการตรวจสอบ
• สแกนหา MongoDB ที่เปิด port เครือข่าย เพื่อค้นหาว่ามีเซิร์ฟเวอร์ใดเปิด port มาตรฐานของ MongoDB หรือพอร์ตอื่น ๆ เพื่อยืนยันการมีอยู่ของ Instance MongoDB
• ตรวจสอบว่าเซิร์ฟเวอร์ MongoDB มีการเปิดใช้งาน zlib compression อยู่หรือไม่ เพราะการเปิดใช้งานนี้เป็นปัจจัยให้ช่องโหว่สามารถถูกโจมตีได้ง่ายขึ้น
• ตรวจสอบว่าเวอร์ชันของ MongoDB ที่รันอยู่เป็นเวอร์ชันที่ถูกระบุว่าได้รับผลกระทบหรือไม่ โดยสามารถดูได้จากคำสั่งหรือวิธีการตรวจสอบเวอร์ชันมาตรฐานของ MongoDB
แนวทางการป้องกัน
• ดำเนินการอัปเดต MongoDB Server ให้เป็นเวอร์ชันล่าสุด
• จัดทำ Patch Policy และรอบการอัปเดตระบบอย่างสม่ำเสมอ
• ดำเนินการติดตั้งและตรวจสอบแพตช์ในลักษณะของการจำลองการทำงาน (Staging / UAT) ก่อนนำขึ้นใช้งานจริง (Production)
มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
• ปิดใช้งาน zlib Compression ช่วยลดการโจมตีที่เกี่ยวข้องกับช่องโหว่นี้ โดยตั้งค่าเริ่มต้นของ MongoDB ให้ ยกเลิก zlib ผ่านการตั้งค่าขณะเริ่มต้นเซิร์ฟเวอร์
• จำกัดการเข้าถึงบริการจากเครือข่ายภายนอก และอนุญาตให้เข้าถึงเฉพาะจาก IP Address หรือเครือข่ายที่เชื่อถือได้
• ปิดพอร์ต MongoDB จากการเข้าถึงโดยตรงจากอินเทอร์เน็ต

อ้างอิง:

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#MongoBleed #ThaiCERT #CyberSecurity #CVE202514847 #สกมช

ช่องโหว่ใน MongoDB Server.png

NCSA_THAICERT

Fortinet เตือนช่องโหว่ FortiOS SSL VPN เสี่ยงถูกข้ามการยื.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

FBI ยึดโดเมน ‘web3adspanels.org’ หลังพบใช้เก็บข้อมูลล็อ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

ระวังโดเมนปลอมแอบอ้าง MAS เพื่อหลอกให้ติดตั.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลการเปิดเผยช่องโหว่ระดับร้ายแรงในแพลตฟอร์ม n8n

หากไม่ดำเนินการแก้ไข อาจทำให้ผู้ไม่หวังดีสามารถเรียกใช้งานคำสั่งบนระบบจากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานได้

รายละเอียดช่องโหว่
• ช่องโหว่ CVE-2025-65964 จัดอยู่ในประเภท Inclusion of Functionality from Untrusted Control Sphere หรือการนำฟังก์ชันหรือกลไกจากแหล่งที่ไม่อยู่ภายใต้การควบคุมมาใช้งาน ซึ่งอาจถูกผู้ไม่หวังดีนำไปใช้เพื่อควบคุมการทำงานของระบบและเรียกใช้งานฟังก์ชันที่มีอยู่เดิมในลักษณะที่เป็นอันตราย ส่งผลให้สามารถเรียกใช้งานคำสั่งจากระยะไกลได้
• ช่องโหว่นี้เกิดจากการควบคุมการตั้งค่า Git configuration ภายในฟังก์ชัน Git Node ของแพลตฟอร์ม n8n ที่ไม่เหมาะสม ส่งผลให้ผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไขกระบวนการทำงานอัตโนมัติ (Workflow) ที่มีการใช้งาน Git Node สามารถกำหนดค่าพารามิเตอร์ core.hooksPath ให้ชี้ไปยังตำแหน่งของ Git hook ที่ถูกปรับแต่งมาเป็นพิเศษได้ เมื่อมีการเรียกใช้งาน Git operation ภายใน Workflow ที่ผู้ไม่หวังดีจัดเตรียมไว้ ระบบจะเรียกใช้งาน Git hook ดังกล่าวโดยอัตโนมัติ ซึ่งเนื่องจาก Git hook เป็นสคริปต์ที่ถูกประมวลผลในระดับระบบปฏิบัติการ พฤติกรรมดังกล่าวจึงอาจถูกนำไปใช้เพื่อรันคำสั่งใด ๆ บนระบบที่ให้บริการ n8n ภายใต้สิทธิ์ของกระบวนการ n8n ได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• n8n เวอร์ชันก่อนหน้า 1.119.2

️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็ว

แนวทางการตรวจสอบและการป้องกัน

แนวทางการตรวจสอบ
• ตรวจสอบแพลตฟอร์ม n8n ที่ใช้งานอยู่ ว่าเป็นเวอร์ชันที่ต่ำกว่า 1.119.2 หรือไม่
• ตรวจสอบ Workflow ที่มีการใช้งาน Git Node ภายในระบบ
• ตรวจสอบว่ามีการเชื่อมต่อหรือทำงานร่วมกับ Git Repository จากแหล่งภายนอกหรือแหล่งที่ไม่น่าเชื่อถือหรือไม่
• ตรวจสอบบันทึกเหตุการณ์ (Logs) ที่เกี่ยวข้องกับการทำงานของ Git Node และ Git operation ภายใน Workflow
แนวทางการป้องกัน
• ดำเนินการอัปเดตแพลตฟอร์ม n8n เป็นเวอร์ชัน 1.119.2 หรือใหม่กว่า
• ใช้งานเฉพาะ Git Repository ที่มีความน่าเชื่อถือและผ่านการตรวจสอบแล้ว
มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
• พิจารณา ยกเลิกหรือปิดการใช้งาน Git Node ภายในแพลตฟอร์ม n8n ชั่วคราว
• หลีกเลี่ยงการ clone หรือใช้งาน Git Repository จากแหล่งที่ไม่น่าเชื่อถือผ่าน Git Node
• จำกัดการใช้งาน Git Node ให้เฉพาะ Workflow ที่มีความจำเป็น และเฉพาะผู้ใช้งานที่ได้รับอนุญาตเท่านั้น
ทั้งนี้ มาตรการดังกล่าวเป็นเพียงแนวทางชั่วคราวเพื่อบรรเทาความเสี่ยง ผู้ดูแลระบบควรดำเนินการอัปเดตแพลตฟอร์มเป็นเวอร์ชันที่ปลอดภัยโดยเร็วที่สุด

อ้างอิง
https://nvd.nist.gov/vuln/detail/CVE-2025-65964
https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq
https://cwe.mitre.org/data/definitions/829.html

(Workflow Automation Platform) n8n.png
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Middle East, Q3 2025
"In the Middle East, the percentage of ICS computers on which threats from email clients were blocked was 1.8 times higher than the global average. High levels of email threats (phishing), spyware, and ransomware clearly indicate that technological systems in the region are highly exposed to advanced attackers."
https://ics-cert.kaspersky.com/publications/reports/2025/12/24/threat-landscape-for-industrial-automation-systems-middle-east-q3-2025/
Threat Landscape For Industrial Automation Systems. Asia, Q3 2025
"Southeast Asia has high rates of self-propagating malware. The region ranks first in the world in terms of the percentage of ICS computers on which viruses and malware for AutoCAD were blocked. In both cases, it leads by a wide margin. In most cases, malware for AutoCAD is distributed in the same way as viruses. This explains the high percentage exhibited by this malware category."
https://ics-cert.kaspersky.com/publications/reports/2025/12/24/threat-landscape-for-industrial-automation-systems-asia-q3-2025/

New Tooling

Conjur: Open-Source Secrets Management And Application Identity
"Conjur is an open-source secrets management project designed for environments built around containers, automation, and dynamic infrastructure. It focuses on controlling access to credentials such as database passwords, API keys, and tokens that applications need at runtime. The project is maintained in the open and developed with input from a user and contributor base."
https://www.helpnetsecurity.com/2025/12/24/conjur-open-source-secrets-management/
https://github.com/cyberark/conjur

Vulnerabilities

MongoDB Warns Admins To Patch Severe RCE Flaw Immediately
"MongoDB has warned IT admins to immediately patch a high-severity vulnerability that can be exploited in remote code execution (RCE) attacks targeting vulnerable servers. Tracked as CVE-2025-14847, this security flaw affects multiple MongoDB and MongoDB Server versions and can be exploited by unauthenticated threat actors in low-complexity attacks that don't require user interaction. CVE-2025-14847 is due to an improper handling of length parameter inconsistency, which can allow attackers to execute arbitrary code and potentially gain control of targeted devices."
https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/
https://jira.mongodb.org/browse/SERVER-115508
Net-SNMP Snmptrapd Vulnerability
"A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash."
https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq
Security Bulletin: NVIDIA Isaac Launchable - December 2025
"NVIDIA has released an update for the NVIDIA Isaac Launchable to address a security issue that might lead to the impacts described in this bulletin. To protect your system, download and install the latest version of Isaac Launchable."
https://nvidia.custhelp.com/app/answers/detail/a_id/5749

Malware

Empty Promises In MENA: How Online Quick Cash Schemes Exploit The Gig Economy
"Fake online job ads continue to circulate across social media, especially in Arab countries, offering easy remote work and quick income. The sinister goal: to harvest sensitive information, from ID documents to banking details. This blog explains how the scheme operates, who the scammers target, and how to prevent falling victim to it."
https://www.group-ib.com/blog/online-job-scams-mena/
https://www.infosecurity-magazine.com/news/scams-mena-fake-online-job/
Evasive Panda APT Poisons DNS Requests To Deliver MgBot
"The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims."
https://securelist.com/evasive-panda-apt/118576/
GeoServer, Where Various CoinMiner Attacks Occur
"AhnLab SEcurity intelligence Center (ASEC) previously covered the case of threat actors exploiting the GeoServer vulnerability to install CoinMiner and NetCat through the “CoinMiner Attacks Exploiting GeoServer Vulnerability” blog. [1] The threat actors have been continuously targeting vulnerable GeoServers to install CoinMiner. This post will cover the identified cases of CoinMiner installation."
https://asec.ahnlab.com/en/91724/
Fake MAS Windows Activation Domain Used To Spread PowerShell Malware
"A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit [1, 2] yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection."
https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/
Product Security Advisory And Analysis: Observed Abuse Of FG-IR-19-283
"Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations. This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited."
https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283
Operation PCPcat: Hunting a Next.js Credential Stealer That's Already Compromised 59K Servers
"A threat campaign called 'PCPcat' is silently harvesting credentials from Next.js deployments at scale. Through active honeypot reconnaissance, I breached their C2 API and exposed their operational metrics: 59,128 confirmed server compromises, a 64.6% success rate, and a blueprint for exploiting the entire global infrastructure. This is what industrial-scale credential theft looks like, and how to detect it."
https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/
APT36 LNK-Based Malware Campaign Leveraging MSI Payload Delivery
"CYFIRMA is dedicated to providing advanced warning and strategic analysis of the evolving cyber threat landscape. Our latest report analyzes a targeted malware campaign attributed to APT-36, which leverages social engineering and a malicious shortcut file disguised as a government advisory PDF. The attack delivers a hidden MSI payload that deploys a .NET-based loader, malicious DLLs, and establishes registry-based persistence while displaying a legitimate-looking decoy document to avoid suspicion."
https://www.cyfirma.com/research/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/
UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel
"SEQRITE Labs’ APT Team has been tracking Unknown-Clusters [UNG0801], a slightly advanced yet persistent threat entity believed to originate from Western Asia, with activity primarily observed against Israeli organizations. The cluster shows a strong focus on enterprise environments, relying on socially engineered phishing lures written in Hebrew and designed to resemble routine internal communications, such as compliance updates, security advisories, or corporate webinar announcements."
https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/
Operation Artemis: Analysis Of HWP-Based DLL Side Loading Attacks
"Genians Security Center identified the “Artemis” campaign conducted by the APT37 group. The threat actor embedded a malicious OLE object inside an HWP document in a covert manner. The attack chain is triggered when the user trusts the document content and clicks the hyperlink. When the OLE object was loaded, the threat actor used a masquerading technique launching a legitimate process first. This multi-stage procedure leverages legitimate execution flow to evade detection by signature-based security solutions. Subsequently, the payload was executed by calling a malicious DLL within the execution context of the legitimate process."
https://www.genians.co.kr/en/blog/threat_intelligence/dll

General News

Governance Maturity Defines Enterprise AI Confidence
"AI security has reached a point where enthusiasm alone no longer carries organizations forward. New Cloud Security Alliance research shows that governance has become the main factor separating teams that feel prepared from those that do not."
https://www.helpnetsecurity.com/2025/12/24/csa-ai-security-governance-report/
Counterfeit Defenses Built On Paper Have Blind Spots
"Counterfeit protection often leans on the idea that physical materials have quirks no attacker can copy. A new study challenges that comfort by showing how systems built on paper surface fingerprints can be disrupted or bypassed. The research comes from teams at the University of Maryland and North Carolina State University, and examines paper based physically unclonable functions, or paper PUFs, which rely on microscopic surface variations in paper to authenticate products."
https://www.helpnetsecurity.com/2025/12/24/counterfeit-defenses-paper-puf-security/
https://arxiv.org/pdf/2512.09150
Eurostar Accused Researchers Of Blackmail For Reporting AI Chatbot Flaws
"The rush to add AI to customer service, which we have been witnessing lately in almost every sector, can sometimes come at a high price for security. On December 22, 2025, the team of ethical hackers at Pen Test Partners (PTP) went public with a series of flaws they found in the new AI chatbot for Eurostar. For your information, Eurostar is the famous high-speed rail operator that connects the UK to mainland Europe through the Channel Tunnel, carrying millions of travellers between major hubs like London, Paris, and Amsterdam."
https://hackread.com/eurostar-blackmail-research-report-ai-chatbot-flaw/
https://www.theregister.com/2025/12/24/pentesters_reported_eurostar_chatbot_flaws/
SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips
"The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation."
https://thehackernews.com/2025/12/sec-files-charges-over-14-million.html
https://www.sec.gov/newsroom/press-releases/2025-144-sec-charges-three-purported-crypto-asset-trading-platforms-four-investment-clubs-scheme-targeted
https://www.infosecurity-magazine.com/news/sec-charges-crypto-firms/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Australia And New Zealand, Q3 2025
"The cybersecurity situation in Australia and New Zealand is among the most favorable across all regions. The region ranked 11th in Q3 2025 based on the percentage of ICS computers on which malicious objects were blocked. At the same time, the region was in higher positions in the relevant rankings for some threat sources and categories:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/23/threat-landscape-for-industrial-automation-systems-australia-and-new-zealand-q3-2025/
Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q3 2025
"In South America, the percentage of ICS computers on which threats from mail clients were blocked is 1.8 times higher than the global average. On this metric, the region ranks third globally. High levels of email threats (phishing) and spyware clearly indicate that industrial OT systems in the region are highly exposed to advanced attackers."
https://ics-cert.kaspersky.com/publications/reports/2025/12/23/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q3-2025/

Vulnerabilities

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands Of Instances
"A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0. The package has about 57,000 weekly downloads, according to statistics on npm. "Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime," the maintainers of the npm package said."
https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html
https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
https://censys.com/advisory/cve-2025-68613
https://securityaffairs.com/186036/hacking/critical-n8n-flaw-could-enable-arbitrary-code-execution.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/186021/security/u-s-cisa-adds-a-flaw-in-digiever-ds-2105-pro-to-its-known-exploited-vulnerabilities-catalog.html
Revisiting CVE-2025-50165: A Critical Flaw In Windows Imaging Component
"ESET researchers examined CVE‑2025‑50165, a serious Windows vulnerability described to grant remote code execution by merely opening a specially crafted JPG file – one of the most widely used image formats. The flaw, found and documented by Zscaler ThreatLabz, piqued our interest, as Microsoft assessed its severity as critical but deemed its exploitability as less likely. Our root cause analysis allowed us to pinpoint the exact location of the faulty code and reproduce the crash. We believe that the exploitation scenario is harder than it appears to be."
https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/
CVE-2025–52692: Discovery And Exploitation Of Zero-Day Vulnerability In Linksys E9450-SG Router
"At the Centre for Strategic Infocomm Technologies (CSIT), we perform vulnerability research on a wide range of platforms including Internet of Things (IoT) devices. Consumer routers are particularly attractive targets because they expose internal networks and often contain exploitable flaws. Most consumers use routers provided by their Internet Service Provider (ISP). One such router is the Linksys E9450-SG AX5400 Wi-Fi 6 router that Singtel distributed in 2021. It is certified as a CSA CLS Level 1 device (CSA/060225/V0009)."
https://medium.com/csit-tech-blog/cve-2025-52692-discovery-and-exploitation-of-zero-day-vulnerability-in-linksys-e9450-sg-router-cda5c829bbf9

Malware

From Cheats To Exploits: Webrat Spreading Via GitHub
"In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field."
https://securelist.com/webrat-distributed-via-github/118555/
https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/
https://www.helpnetsecurity.com/2025/12/23/fake-poc-exploits-webrat-malware/
From Email To Exfiltration: How Threat Actors Steal ADP Login And Personal Data
"Recently, threat actors have been impersonating employees at major companies, such as ADP, a leading global provider of human resources management and payroll processing services. The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign imitating ADP, allowing the threat actor to gain access to employee accounts and steal sensitive information. To help employees identify phishing threats and become the first line of defense against threat actors, we broke down this real-life example."
https://cofense.com/blog/from-email-to-exfiltration-how-threat-actors-steal-adp-login-and-personal-data
RTO Scam Wave Continues: A Surge In Browser-Based e-Challan Phishing And Shared Fraud Infrastructure
"Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users."
https://cyble.com/blog/rto-scam-wave-continues/
Malicious Chrome Extensions “Phantom Shuttle” Masquerade As a VPN To Intercept Traffic And Exfiltrate Credentials
"Socket's Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (幻影穿梭), published by the same threat actor using the email theknewone.com@gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel. Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations. Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 server."
https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle
https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html
https://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/
Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
"Over the past few months, tax-themed phishing and malware campaigns have surged, particularly during and after the Income Tax Return (ITR) filing season. With ongoing public discussions around refund timelines, these scams appear more credible, giving attackers the perfect context to craft convincing lures. We recently analyzed emails impersonating the Indian Income Tax Department (ITD). At first glance, the message resembled an official “Tax Compliance Review Notice.” However, deeper investigation revealed it was part of a broader phishing campaign targeting Indian businesses with a multi-stage infection chain designed to deploy persistent Remote Access Trojans (RATs) or infostealer malware."
https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/
In Depth Analysis Of The Alleged Qilin, DragonForce And LockBit Alliance
"On the occasion of the announcement made by the ransomware group DragonForce regarding the creation of an alliance between DragonForce, Qilin, and LockBit, identified on September 15, 2025, the Cyber Intelligence Team conducted an analysis based on internally collected data to assess the potential risk and the credibility of the claim. This activity was carried out as part of ongoing ransomware claims monitoring operations aimed at identifying emerging risks and issuing customer alerts."
https://labs.yarix.com/2025/12/in-depth-analysis-of-the-alleged-qilin-dragonforce-and-lockbit-alliance/
Quishing Campaigns : Advanced QR-Code Phishing Evaluation And Insights
"CYFIRMA examines a sophisticated phishing campaign that leverages QR-code-based delivery, commonly referred to as “quishing,” to target employees with messages related to payroll and compensation. By combining personalized social engineering with obfuscated scripts and dynamically generated infrastructure, attackers increase the likelihood of engagement while evading traditional security controls. The campaign demonstrates a high level of operational sophistication, emphasizing the shift toward targeted, industry-specific threats. Findings underscore the need for enhanced user awareness, proactive monitoring, and intelligence-driven defenses to protect organizational credentials and sensitive data."
https://www.cyfirma.com/research/quishing-campaigns-advanced-qr-code-phishing-evaluation-and-insights/

Breaches/Hacks/Leaks

Baker University Says 2024 Data Breach Impacts 53,000 People
"Baker University has disclosed a data breach after attackers gained access to its network one year ago and stole the personal, health, and financial information of over 53,000 individuals. Founded in 1858, Baker University is a private university in Baldwin City, Kansas, with nearly 2,000 enrolled students (1,457 undergraduates) and over 300 employees. The school detected suspicious activity on its network after a December 2024 outage and found that attackers had access to its systems from December 2 to 19, stealing sensitive documents."
https://www.bleepingcomputer.com/news/security/baker-university-data-breach-impacts-over-53-000-individuals/
More Than 22 Million Aflac Customers Impacted By June Data Breach
"A data breach in June exposed the information of more than 22 million Aflac customers, according to a new statement from the company. The Georgia-based insurance giant published a statement on Friday about the conclusion of a months-long investigation into a cybersecurity incident announced earlier this year. The company previously warned the Securities Exchange Commission (SEC) that while it was able to stop a hacker intrusion “within hours,” some files were stolen by the cybercriminals."
https://therecord.media/22-million-impacted-aflac-breach

General News

Formal Proofs Expose Long Standing Cracks In DNSSEC
"DNSSEC is meant to stop attackers from tampering with DNS answers. It signs records so resolvers can verify that data is authentic and unchanged. Many security teams assume that if DNSSEC validation passes, the answer can be trusted. New academic research suggests that assumption deserves closer scrutiny. Researchers from Palo Alto Networks, Purdue University, the University of California Irvine, and the University of Texas at Dallas present an analysis of DNSSEC that goes beyond bug hunting. Instead of searching for individual flaws, the team built a mathematical model of the protocol and asked a deeper question. Does DNSSEC, as written and deployed, always behave securely under all conditions?"
https://www.helpnetsecurity.com/2025/12/23/dnssec-validation-risks-research/
https://arxiv.org/pdf/2512.11431
AI Code Looks Fine Until The Review Starts
"Software teams have spent the past year sorting through a rising volume of pull requests generated with help from AI coding tools. New research puts numbers behind what many reviewers have been seeing during work. The research comes from CodeRabbit and examines how AI co-authored code compares with human written code across hundreds of open source projects. The findings track issue volume, severity, and the kinds of problems that appear most often. The data shows recurring risks tied to logic, correctness, readability, and security that matter directly to security and reliability teams."
https://www.helpnetsecurity.com/2025/12/23/coderabbit-ai-assisted-pull-requests-report/
Cloud Security Is Stuck In Slow Motion
"Cloud environments are moving faster than the systems meant to protect them. A new Palo Alto Networks study shows security teams struggling to keep up with development cycles, growing cloud sprawl, and attacker tactics that now compress breaches into minutes instead of weeks."
https://www.helpnetsecurity.com/2025/12/23/palo-alto-networks-cloud-incident-response-report/
The Week In Vulnerabilities: More Than 2,000 New Flaws Emerge
"Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks."
https://cyble.com/blog/it-vulnerabilities-ics-record-week-new-flaws/
Amazon Fends Off 1,800 Suspected DPRK IT Job Scammers
"Much has been said about IT worker scams in the last few years, but it's not every day that we get a glimpse into how pervasive the issue has become. Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented "more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we've detected 27% more DPRK-affiliated applications quarter-over-quarter this year.""
https://www.darkreading.com/remote-workforce/amazon-fends-off-dprk-it-job-scammers
Top Ransomware Trends Of 2025
"The past year was much quieter than 2024 in ransomware takedown and anti-cybercrime law enforcement operations. Additionally, less organized collectives such as Scattered Spider, Lapsus$ and ShinyHunters grabbed many of the headlines in 2025. However, traditional ransomware syndicates continued to be active throughout the year. According to ransomware tracking website Ransomware.live, 306 groups were active over the past year, listing 7902 victims at the time of writing. This is significantly higher than the 6129 victims listed in 2024 and the 5336 victims listed in 2023."
https://www.infosecurity-magazine.com/news/top-ransomware-trends-of-2025/
Why Third-Party Access Remains The Weak Link In Supply Chain Security
"Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time."
https://securityaffairs.com/186026/security/why-third-party-access-remains-the-weak-link-in-supply-chain-security.html
U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme
"The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of bank account takeover fraud. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S. and Estonia."
https://thehackernews.com/2025/12/us-doj-seizes-fraud-domain-behind-146.html
https://therecord.media/us-disrupts-bank-account-takeover-operation-web3adspanels
https://www.securityweek.com/feds-seize-password-database-used-in-massive-bank-account-takeover-scheme/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
"High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. In Eastern Europe, the percentage of ICS computers on which threats from email clients were blocked is 1.3 times higher than the global average. The percentage of ICS computers on which malicious documents are blocked also exceeds the global average by a factor of 1.3."
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-europe-q3-2025/
Threat Landscape For Industrial Automation Systems. Russia, Q3 2025
"The main categories of internet threats blocked on ICS computers include denylisted internet resources, malicious scripts and phishing pages, and miners. The list of denylisted internet resources is used to prevent initial infection attempts. In particular, the following threats on ICS computers are blocked with the aid of this list:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-russia-q3-2025/

New Tooling

Anubis: Open-Source Web AI Firewall To Protect From Scraper Bots
"Anubis is an open-source tool designed to protect websites from automated scraping and abusive traffic by adding computational friction before a request is served. Maintained by TecharoHQ, the project targets a growing problem for site operators who want to keep content accessible to humans while limiting large scale automated collection."
https://www.helpnetsecurity.com/2025/12/22/anubis-open-source-web-ai-firewall-protect-from-bots/
https://github.com/TecharoHQ/anubis

Vulnerabilities

Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
"Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/

Malware

The Shadow Of JWT-Based Authentication: A Fatal Threat Behind The Convenience
"JWT, which has become the standard for modern web applications and mobile apps, provides the convenience of stateless authentication. However, when operated and managed unsafely, it can become a single point of failure that collapses the entire authentication system. This post introduces the concept and authentication methods of JWT, analyzes its key vulnerabilities based on CVE cases, and suggests practical defense strategies for prevention and mitigation."
https://asec.ahnlab.com/en/91676/
From ClickFix To Code Signed: The Quiet Shift Of MacSync Stealer Malware
"While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach."
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
"The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server."
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/
Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities To Evade Detection
"This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients."
https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/
Nezha: The Monitoring Tool That’s Also a Perfect RAT
"Ontinue’s Cyber Defense Center discovered attackers using Nezha, a legitimate open-source monitoring tool, as a post-exploitation RAT. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Organisations should hunt for Nezha presence proactively and ensure behavioural monitoring is in place to catch post-exploitation activity."
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
https://www.infosecurity-magazine.com/news/nezha-abused-post-exploitation/
DDoS Incident Disrupts France’s Postal And Banking Services Ahead Of Christmas
"France’s national postal service, La Poste, confirmed that a suspected cyberattack disrupted its websites and mobile applications days before Christmas, slowing deliveries and knocking some online services offline. In a statement on Monday, La Poste said that a distributed denial-of-service (DDoS) incident knocked key digital systems offline. The company said there was no evidence that customer data had been compromised, but acknowledged that postal operations, including parcel distribution, had been affected."
https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
I Am Not a Robot: ClickFix Used To Deploy StealC And Qilin
"ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT)."
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin
Inside DPRK Operations: New Lazarus And Kimsuky Infrastructure Uncovered Across Global Campaigns
"Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators. These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on."
https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered

Breaches/Hacks/Leaks

Nissan Says Thousands Of Customers Exposed In Red Hat Breach
"Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia. In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat."
https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/
Romanian Water Authority Hit By Ransomware Attack Over Weekend
"Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected."
https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
https://therecord.media/romania-national-water-agency-ransomware-attack
https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
University Of Phoenix Data Breach Impacts Nearly 3.5 Million Individuals
"The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August. Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with 82,700 enrolled students and 3,400 employees (nearly 2,300 academic staff). In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC)."
https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/
Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
"oupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population. This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW). This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods."
https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/

General News

Browser Agents Don’t Always Respect Your Privacy Choices
"Browser agents promise to handle online tasks without constant user input. They can shop, book reservations, and manage accounts by driving a web browser through an AI model. A new academic study warns that this convenience comes with privacy risks that security teams should not ignore."
https://www.helpnetsecurity.com/2025/12/22/browser-agents-privacy-risks-study/
https://arxiv.org/pdf/2512.07725
574 Arrests And USD 3 Million Recovered In Coordinated Cybercrime Operation Across Africa
"Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel (27 October – 27 November) focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million."
https://www.interpol.int/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa
https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
https://www.helpnetsecurity.com/2025/12/22/europol-africa-cybercrime-arrests-2025/
Building Cyber Talent Through Competition, Residency, And Real-World Immersion
"In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths."
https://www.helpnetsecurity.com/2025/12/22/chrisma-jackson-sandia-national-laboratories-recruiting-cybersecurity-professionals/
86% Surge In Fake Delivery Websites Hits Shoppers During Holiday Rush
"An 86% increase in malicious postal service websites over the past month has heightened the risk for consumers tracking holiday deliveries. Cybercriminals are reportedly capitalizing on the seasonal spike in online shopping by sending convincing messages that appear to come from legitimate delivery companies, often warning of delayed or suspended packages. The fake alerts typically arrive via text message or email and include links designed to steal personal or financial information. With shoppers expecting frequent updates, these scams are more likely to succeed during peak shipping periods."
https://www.infosecurity-magazine.com/news/surge-fake-delivery-holidays/
Rising Tides: When Cybersecurity Becomes Personal – Inside The Work Of An OSINT Investigator
"“All of us matter, or none of us do,” a strong statement from Shannon Miller, OSINT Investigator and Privacy Consultant. For those of us who know Miller, it’s not the first time we’ve heard that plea and it won’t be the last. Her significant career and non-profit work to help victims of domestic danger and other similar malice find safety, she’s seen first-hand how the dangers are amplified for marginalized and vulnerable groups who do not have as much access to tools, education, and other critical resources to protect themselves and their families."
https://www.securityweek.com/rising-tides-when-cybersecurity-becomes-personal-inside-the-work-of-an-osint-investigator/
Spy Turned Startup CEO: 'The WannaCry Of AI Will Happen'
"In my past life, it would take us 360 days to develop an amazing zero day," Zafran Security CEO Sanaz Yashar said. She's talking about the 15 years she spent working as a spy - she prefers "hacking architect" - inside the Israel Defense Forces' elite cyber group, Unit 8200. "Now, the volume and speed is changing so much that for the first time ever, we have a negative time-to-exploit, meaning it takes less than a day to see vulnerabilities being exploited, being weaponized before they were patched," Yashar told The Register. "That is not something you used to see."
https://www.theregister.com/2025/12/22/zafran_security_ceo/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

มัลแวร์ MacSync Stealer บน MacOS ปลอมใบรับรอง แฝงแอปแชทข_.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand