สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Operation WrtHug โจมตีเราเตอร์ ASUS กว่า 50,000 เครื่องเพื่อสร้างบอตเน็ตระดับโลกโพสต์ใน Cyber Security News
-
แฮกเกอร์กำลังใช้ประโยชน์จากช่องโหว่ RCE ของ 7-Zip (CVE-2025-11001)โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เครื่องมือโจมตี Sneaky2FA อัปเกรดเทคนิค Browser-in-the-Browser หลอกขโมยบัญชี Microsoft 365 อย่างแนบเนียนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 20 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-25-324-01 Automated Logic WebCTRL Premium Server
- ICSA-25-324-02 ICAM365 CCTV Camera Multiple Models
- ICSA-25-324-03 Opto 22 GRV-EPIC and GRV-RIO
- ICSA-25-324-04 Festo MSE6-C2M/D2M/E2M
- ICSA-25-324-05 Festo Didactic products
- ICSA-25-324-06 Emerson Appleton UPSMON-PRO
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/20/cisa-releases-six-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คู่มือแนวทางลดความเสี่ยงจากผู้ให้บริการโฮสติ้งแบบ Bulletproofโพสต์ใน Cyber Security News
เมื่อวันที่ 19 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) เผยแพร่คู่มือแนวทางลดความเสี่ยงจากผู้ให้บริการโฮสติ้งแบบ Bulletproof
CISA ร่วมกับสำนักงานความมั่นคงแห่งชาติของสหรัฐอเมริกา (NSA), ศูนย์อาชญากรรมไซเบอร์ของกระทรวงกลาโหมสหรัฐฯ (DoD Cyber Crime Center), สำนักงานสืบสวนกลางแห่งสหรัฐฯ (FBI) และพันธมิตรระหว่างประเทศ ได้เผยแพร่คู่มือ Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers เพื่อช่วยผู้ให้บริการอินเทอร์เน็ต (ISPs) และผู้ดูแลเครือข่ายในการลดความเสี่ยงจากการถูกโจมตีทางด้านไซเบอร์ที่เป็นอาชญากรรมที่อาศัยโครงสร้างพื้นฐานของผู้ให้บริการ Bulletproof Hosting (BPH)
องค์กรที่มีระบบซึ่งไม่ได้รับการป้องกันหรือมีการตั้งค่าที่ไม่ถูกต้องยังคงมีความเสี่ยงสูงต่อการถูกเจาะระบบ เนื่องจากผู้ไม่ประสงค์ดีมักใช้โครงสร้างพื้นฐานของ BPH เพื่อทำการบุกรุก เช่น การโจมตีด้วยแรนซัมแวร์ การฟิชชิง การส่งมัลแวร์ และการโจมตีแบบปฏิเสธการให้บริการ (DoS) ผู้ให้บริการ BPH จึงเป็นภัยคุกคามสำคัญต่อความมั่นคงและความทนทานของระบบและบริการที่มีความสำคัญยิ่ง
CISA และพันธมิตรจึงขอเรียกร้องให้ผู้ให้บริการอินเทอร์เน็ตและผู้ดูแลความมั่นคงปลอดภัยเครือข่ายนำคำแนะนำในคู่มือนี้ไปปฏิบัติเพื่อลดความเสี่ยงที่เกิดจากผู้ให้บริการ BPH การลดประสิทธิภาพของโครงสร้างพื้นฐาน BPH จะช่วยบีบให้ผู้ก่ออาชญากรรมไซเบอร์จำเป็นต้องใช้ผู้ให้บริการที่ปฏิบัติตามกระบวนการทางกฎหมายแทน
อ้างอิง
https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers?utm_source=https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers&utm_medium=GovDelivery
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 19 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้
- CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability
ช่องโหว่ประเภทนี้มักถูกใช้เป็นช่องทางการโจมตีโดยผู้ไม่หวังดี และก่อให้เกิดความเสี่ยงร้ายแรงต่อเครือข่ายของหน่วยงานรัฐบาลกลาง
ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 20 November 2025โพสต์ใน Cyber Security News
New Tooling
- Metis: Open-Source, AI-Driven Tool For Deep Security Code Review
"Metis is an open source tool that uses AI to help engineers run deep security reviews on code. Arm’s product security team built Metis to spot subtle flaws that are often buried in large or aging codebases where traditional tools struggle. Metis relies on LLMs that can analyze code with semantic reasoning instead of fixed rules. Arm says this gives the tool an edge over linters and other static analysis systems that depend on signatures or pattern matching. The goal is to help engineers find issues that might otherwise slip through manual review, while also cutting down on review fatigue."
https://www.helpnetsecurity.com/2025/11/19/metis-open-source-code-review/
https://github.com/arm/metis
Vulnerabilities
- W3 Total Cache WordPress Plugin Vulnerable To PHP Command Injection
"A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection. W3TC is installed on more than one million websites to increase performance and reduce load times."
https://www.bleepingcomputer.com/news/security/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/ - From Prompt To Pwn: Cline Bot AI Coding Agent Vulnerabilities
"Pair programming can be a useful methodology, but normally you have agency in vetting your partner. As far as teammates go, AI coding assistants are like the golden retrievers of development: endlessly eager, wildly helpful, and perhaps a little too trusting. In this post, we’ll show how a clever attacker can slip prompt injections into your source files turning your helpful partner into a hazard."
https://mindgard.ai/resources/cline-coding-agent-vulnerabilities
https://hackread.com/cline-bot-ai-agent-vulnerable-data-theft-code-execution/ - When AI Turns On Its Team: Exploiting Agent-To-Agent Discovery Via Prompt Injection
"Earlier this year, I discovered a combination of behaviors within ServiceNow’s Now Assist AI implementation that can facilitate a unique kind of second-order prompt injection attack. Through this behavior, I instructed a seemingly benign Now Assist agent to recruit more powerful agents in fulfilling a malicious and unintended task. This included performing Create, Read, Update, and Delete (CRUD) actions on record data and sending external emails containing contents of other records, all while the ServiceNow prompt injection protection feature was enabled."
https://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/
https://thehackernews.com/2025/11/servicenow-ai-agents-can-be-tricked.html
https://www.bankinfosecurity.com/misconfigured-ai-agents-let-attacks-slip-past-controls-a-30068 - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-gives-govt-agencies-7-days-to-patch-new-fortinet-flaw/
https://securityaffairs.com/184832/hacking/u-s-cisa-adds-a-new-fortinet-fortiweb-flaw-to-its-known-exploited-vulnerabilities-catalog.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/184856/hacking/u-s-cisa-adds-a-google-chromium-v8-flaw-to-its-known-exploited-vulnerabilities-catalog.html - Comet’s MCP API Allows AI Browsers To Execute Local Commands
"SquareX has discovered a critical security vulnerability in Comet, Perplexity’s AI browser, that fundamentally compromises user trust and device security. Our research reveals that Comet has implemented an MCP API that allows its embedded extensions to execute arbitrary local commands on host devices without explicit user permission, capabilities that traditional browsers explicitly prohibit to confine the damage web threats can do to the browser."
https://labs.sqrx.com/comet-mcp-api-allows-ai-browsers-to-execute-local-commands-dec185fb524b
Malware
- PlushDaemon Compromises Network Devices For Adversary-In-The-Middle Attacks
"ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure."
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
https://www.bleepingcomputer.com/news/security/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks/
https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
https://therecord.media/china-aligned-threat-actor-espionage-network-devices
https://www.infosecurity-magazine.com/news/plushdaemon-new-malware-china-spy/
https://www.helpnetsecurity.com/2025/11/19/eset-plushdaemon-dns-hijacking/ - WrtHug Exploits Six ASUS WRT Flaws To Hijack Tens Of Thousands Of EoL Routers Worldwide
"newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded. The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022."
https://thehackernews.com/2025/11/wrthug-exploits-six-asus-wrt-flaws-to.html
https://www.bleepingcomputer.com/news/security/new-wrthug-campaign-hijacks-thousands-of-end-of-life-asus-routers/
https://www.infosecurity-magazine.com/news/chinal-operation-wrthug-thousands/
https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/
https://www.bankinfosecurity.com/asus-routers-hacked-in-wrthug-campaign-a-30064
https://securityaffairs.com/184841/cyber-crime/operation-wrthug-hijacks-50000-asus-routers-to-build-a-global-botnet.html - Meet ShinySp1d3r: New Ransomware-As-a-Service Created By ShinyHunters
"An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups. These threat actors have traditionally used other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates."
https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/ - New Amazon Threat Intelligence Findings: Nation-State Actors Bridging Cyber And Kinetic Warfare
"The line between cyber warfare and traditional kinetic operations is rapidly blurring. Recent investigations by Amazon threat intelligence teams have uncovered a new trend that they’re calling cyber-enabled kinetic targeting in which nation-state threat actors systematically use cyber operations to enable and enhance physical operations. Traditional cybersecurity frameworks often treat digital and physical threats as separate domains. However, research by Amazon demonstrates that this separation is increasingly artificial. Multiple nation-state threat groups are pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting."
https://aws.amazon.com/blogs/security/new-amazon-threat-intelligence-findings-nation-state-actors-bridging-cyber-and-kinetic-warfare/
https://cyberscoop.com/amazon-cyber-enabled-kinetic-targeting/
https://www.securityweek.com/amazon-details-irans-cyber-enabled-kinetic-attacks-linking-digital-spying-to-physical-strikes/
https://www.theregister.com/2025/11/19/amazon_cso_warfare_cyber_kinetic/ - Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
"A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday. The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025. "The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an alert released last month. "An attacker can leverage this vulnerability to execute code in the context of a service account.""
https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html
https://digital.nhs.uk/cyber-alerts/2025/cc-4719
https://securityaffairs.com/184850/security/7-zip-rce-flaw-cve-2025-11001-actively-exploited-in-attacks-in-the-wild.html
https://www.helpnetsecurity.com/2025/11/19/7-zip-vulnerability-is-being-actively-exploited-nhs-england-warns-cve-2025-11001/ - SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp
"Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/
https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html
https://www.infosecurity-magazine.com/news/eternidade-stealer-trojan-brazil/
Breaches/Hacks/Leaks
- Researchers Claim 'largest Leak Ever' After Uncovering WhatsApp Enumeration Flaw
"Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history." The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set."
https://www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/
https://github.com/sbaresearch/whatsapp-census/blob/main/Hey_there_You_are_using_WhatsApp.pdf - Hacker Selling Alleged Samsung Medison Data Stolen In 3rd Party Breach
"A hacker using the alias 888 on a cybercrime forum is offering internal records and data they claim belong to Samsung. In a post dated 13 November 2025, the hacker says the breach came from an attack on a third-party contractor, giving them access to data from several companies, including Samsung. The hacker says the files include source code, private keys, SMTP credentials, configuration files, hardcoded credentials and user PII taken from a healthcare backup. The post also lists access to MSSQL and AWS S3. In a note, the hacker adds that the MSSQL and AWS S3 data were already exported and dumped, and that the access itself was an extra item they were offering."
https://hackread.com/hacker-samsung-medison-data-breach-3rd-party/ - Major Russian Insurer Facing Widespread Outages After Cyberattack
"Russian insurer VSK has spent a week attempting to restore services after a major cyberattack damaged its systems, knocking offline its website, mobile app and other services used by millions of customers. One of Russia’s largest universal insurers, Moscow-based VSK serves about 33 million people and more than 500,000 businesses and provides property, transport, health, travel, cargo and corporate insurance."
https://therecord.media/russia-vsk-cyberattack-outages
General News
- The Long Conversations That Reveal How Scammers Work
"Online scammers often take weeks to build trust before making a move, which makes their work hard to study. A research team from UC San Diego built a system that does the patient work of talking to scammers at scale, and the result offers a look into how long game fraud unfolds. Their system, called CHATTERBOX, uses synthetic personas, an LLM driven conversational engine, and human oversight to gather conversations that stretch across platforms and formats."
https://www.helpnetsecurity.com/2025/11/19/research-how-scammers-work/
https://arxiv.org/pdf/2510.23927 - California Man Admits To Laundering Crypto Stolen In $230M Heist
"A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency heist. Kunal Mehta (also known as "Papa," "The Accountant," and “Shrek") is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025. According to court documents, the defendant was part of a large group that, through social engineering, gained access to victims' cryptocurrency accounts between October 2023 and March 2025 and transferred funds into crypto wallets under their control."
https://www.bleepingcomputer.com/news/security/california-man-admits-to-laundering-crypto-stolen-in-230m-heist/ - Cloudflare Blames This Week's Massive Outage On Database Issues
"On Tuesday, Cloudflare experienced its worst outage in 6 years, blocking access to many websites and online platforms for almost 6 hours after a change to database access controls triggered a cascading failure across its Global Network. The company's Global Network is a distributed infrastructure of servers and data centers across more than 120 countries, providing content delivery, security, and performance optimization services and connecting Cloudflare to over 13,000 networks, including every major ISP, cloud provider, and enterprise worldwide. Matthew Prince, the company's CEO, said in a post-mortem published after the outage was mitigated that the service disruptions were not caused by a cyberattack."
https://www.bleepingcomputer.com/news/technology/cloudflare-blames-this-weeks-massive-outage-on-database-issues/
https://www.darkreading.com/cyber-risk/cloudflare-blames-outage-internal-error - The 6 URL Shorteners You Didn't Know Were Helping Hackers
"Threat actors are constantly evolving and adapting by discovering new, unique ways to bypass email-based security controls. One key method they exploit is the abuse of URL shortening services (also known as URL shorteners or link shorteners). These legitimate online tools allow users and businesses to make short aliases of longer URLs for a variety of reasons including aesthetics, easier sharing, gathering analytics, or improving perceived legitimacy. Threat actors take advantage of the tools offered by link shortening services to deliver malware and credential phishing. Cofense Intelligence has identified the most commonly abused legitimate URL shortening services, as shown in Table 1."
https://cofense.com/blog/the-6-url-shorteners-you-didn-t-know-were-helping-hackers - IT Threat Evolution In Q3 2025. Non-Mobile Statistics
"The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site."
https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/
https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/ - AI Is Supercharging Phishing: Here’s How To Fight Back
"Phishing continues to be one of the most widespread and effective tactics, techniques, and procedures (TTPs) in today’s cyber threat landscape. It often serves as a gateway to data breaches that can have devastating consequences for organizations and individuals alike. For example, General Dynamics, a leading aerospace and defense contractor, reported in late 2024 that a phishing attack targeting its personnel resulted in threat actors compromising dozens of employee benefits accounts."
https://www.securityweek.com/ai-is-supercharging-phishing-heres-how-to-fight-back/ - Selling Technology Investments To The Board: a Strategic Guide For CISOs And CIOs
"In today's enterprise environment, technology investments are no longer judged solely by their technical sophistication. Approval depends on their ability to support business goals, mitigate risk, and create value for shareholders. CIOs and CISOs are expected to present their strategies not as technical upgrades but as business enablers. The challenge is not just making the right investments, but framing them in ways that resonate at the boardroom level."
https://www.theregister.com/2025/11/19/zscaler-selling-technology-investments/ - Half Of Ransomware Access Due To Hijacked VPN Credentials
"Ransomware surged in Q3 2025, with just three groups accounting for the majority of cases (65%), and initial access most commonly achieved via compromised VPN credentials, according to Beazley Security. The Beazley Insurance subsidiary said Akira, Qilin and INC Ransomware were the most prolific groups in the third quarter, which saw 11% more leak posts than the previous three months. As per Q2, the use of valid credentials to access VPNs was the most common method of initial access, accounting for half (48%) of breaches – up from 38% the prior quarter. External service exploits was the second most popular technique, comprising 23% of cases."
https://www.infosecurity-magazine.com/news/half-ransomware-access-hijacked/ - CISA Releases Guide To Mitigate Risks From Bulletproof Hosting Providers
"Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help Internet Service Providers (ISPs) and network defenders mitigate cybercriminal activity enabled by Bulletproof Hosting (BPH) providers."
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-releases-guide-mitigate-risks-bulletproof-hosting-providers
https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers - United States, Australia, And United Kingdom Sanction Russian Cybercrime Infrastructure Supporting Ransomware
"Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth and Development Office are announcing coordinated sanctions targeting Media Land, a Russia-based bulletproof hosting (BPH) service provider, for its role in supporting ransomware operations and other forms of cybercrime. OFAC is also designating three members of Media Land’s leadership team and three of its sister companies in coordination with the Federal Bureau of Investigation."
https://home.treasury.gov/news/press-releases/sb0319
https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletproof-hosting-provider-media-land-over-ransomware-ties/
https://therecord.media/bulletproof-hosting-sanctions-ransomware
https://www.bankinfosecurity.com/us-allies-sanction-russian-bulletproof-ransomware-host-a-30067
https://cyberscoop.com/bulletproof-hosting-providers-sanctions-mitigation-media-land/
https://hackread.com/uk-bulletproof-hosting-operator-lockbit-evil-corp/
https://www.theregister.com/2025/11/20/russian_bph_medialand_sanctioned/ - The AI Attack Surface: How Agents Raise The Cyber Stakes
"Agentic AI tools are susceptible to the same risks as large language model (LLM) chatbots, but their autonomous capabilities may make their capacity to leak data and compromise organizations even worse. AI agents have taken the world by storm in recent months, as companies have bought and sold these tools under the premise that an advanced LLM could autonomously reason and complete tasks at a professional level, without much human interaction. But as time progresses, security concerns in the new AI age have grown more complex."
https://www.darkreading.com/application-security/ai-attack-surface-agents-cyber-stakes - Critical Railway Braking Systems Open To Tampering
"Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. When a large, moving train is rolling down the tracks toward an oncoming obstacle, one can't rely solely on a conductor to handle what's ahead. To account for human error, in emergency circumstances, you need a system built into the train itself that can automatically bring the stock to a halt."
https://www.darkreading.com/ics-ot-security/critical-railway-braking-systems-tampering - Stop Of The Month: How Threat Actors Weaponize AI Assistants With Indirect Prompt Injection
"AI is increasingly being used across workplaces to improve operational efficiencies and get work done faster. And just as organizations are adopting it for improved productivity, threat actors are using it to launch more sophisticated, hyper-personalized attacks at a massive scale. A new and dangerous attack vector has emerged that targets the AI models themselves: prompt injection. It’s already ranked as the No. 1 vulnerability on the OWASP Top 10 for Large Language Model (LLM) Applications, and for good reason."
https://www.proofpoint.com/us/blog/email-and-cloud-threats/stop-month-how-threat-actors-weaponize-ai-assistants-indirect-prompt
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Metis: Open-Source, AI-Driven Tool For Deep Security Code Review
-
กลุ่มแรนซัมแวร์ Everest อ้างเจาะระบบ Under Armour ขโมยข้อมูลลูกค้าหลายล้านรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
DoorDash เผยเหตุข้อมูลรั่วไหล หลังพนักงานถูกโจมตีด้วย Social Engineeringโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เหตุการณ์ Cloudflare ล่ม ส่งผลกระทบต่อผู้ใช้งานอินเทอร์เน็ตทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 19 November 2025โพสต์ใน Cyber Security News
Industrial Sector
- METZ CONNECT EWIO2
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05 - Schneider Electric EcoStruxure Machine SCADA Expert & Pro-Face BLUE Open Studio
"Successful exploitation of this vulnerability could lead to loss of confidentiality and integrity."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-01 - Shelly Pro 4PM
"Successful exploitation of this vulnerability could result in a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-02 - Shelly Pro 3EM
"Successful exploitation of this vulnerability could result in a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-03 - Schneider Electric PowerChute Serial Shutdown
"Successful exploitation of these vulnerabilities could allow an attacker to access user accounts or gain elevated system access."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-04 - OT Vulnerabilities Mount But Patching Still a Problem
"Patching is still the mortal weaknesses of operational technology environments, warns cybersecurity firm Trellix in a report assessing incidents in critical infrastructure settings during the middle two quarters of this year. Patching a programmable logic controller has never been as straightforward as updating a Windows laptop. But a mounting pile of cataloged OT vulnerabilities are creating opportunities for attackers, who increasingly have turned to the systems controlling critical infrastructure - whether to make a political statement or wreak havoc."
https://www.bankinfosecurity.com/ot-vulnerabilities-mount-but-patching-still-problem-a-30052
https://www.trellix.com/assets/reports/ot-threat-report-nov-2025.pdf
Vulnerabilities
- Google Issues Security Fix For Actively Exploited Chrome V8 Zero-Day Vulnerability
"Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the flaw in the NIST National Vulnerability Database (NVD)."
https://thehackernews.com/2025/11/google-issues-security-fix-for-actively.html
https://www.bleepingcomputer.com/news/security/google-fixes-new-chrome-zero-day-flaw-exploited-in-attacks/
https://www.securityweek.com/chrome-142-update-patches-exploited-zero-day/
https://securityaffairs.com/184764/hacking/google-fixed-the-seventh-chrome-zero-day-in-2025.html
https://www.malwarebytes.com/blog/news/2025/11/chrome-zero-day-under-active-attack-visiting-the-wrong-site-could-hijack-your-browser
https://www.helpnetsecurity.com/2025/11/18/chrome-cve-2025-13223-exploited/
https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/ - Fortinet Warns Of New FortiWeb Zero-Day Exploited In Attacks
"Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Tracked as CVE-2025-58034, this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team. Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
https://fortiguard.fortinet.com/psirt/FG-IR-25-513 - Cloud Break: IoT Devices Open To Silent Takeover Via Firewalls
"Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. Typically, hackers breach IoT devices by obtaining their IP addresses and exploiting firmware vulnerabilities. This works well against organizations that, due to ignorance, disregard, delay, or genuine inability, can't apply patches in time to protect themselves. Businesses that don't expose their devices to the Web and patch diligently can rest easy knowing that hackers don't have a way in."
https://www.darkreading.com/cybersecurity-operations/cloud-iot-devices-takeover-firewalls
Malware
- Sinobi: The Bougie-Exclusive Ransomware Group That Wants To Be a Ninja
"The Sinobi ransomware brand emerged in mid-2025 and has quickly distinguished itself through calculated intrusions, disciplined operational security and a professional structure that reveals highly skilled and well-connected operators. Sinobi is a hybrid ransomware-as-a-service (RaaS) organization. Core members work with well-screened affiliates to maintain centralized control and distributed operational capability. The group’s techniques improve as the group matures. Sinobi operations are notable for quiet intrusions, modular tooling, selective targeting, and a strong emphasis on both stealth and leverage. The group is also known for its extensive, sophisticated use of living-off-the-land (LotL) and living-off-the-land binaries (LOLBins)."
https://blog.barracuda.com/2025/11/17/sinobi--the-bougie-exclusive-ransomware-group-that-wants-to-be-a - ShadowRay 2.0: Attackers Turn AI Against Itself In Global Campaign That Hijacks AI Into Self-Propagating Botnet
"In early November 2025, the Oligo Security research team identified an attack campaign exploiting the ShadowRay vulnerability (CVE-2023-48022) in Ray, a widely used open-source AI framework. This is the same flaw Oligo previously observed being exploited in late 2023 (see the new MITRE, ShadowRay, Campaign C0045). For the recent campaign, attackers leveraged DevOps-style infrastructure by using GitLab as a platform for updating and delivering region-aware malware. Oligo reported this activity to Gitlab and the attacker repository and account was removed on November 5, 2025. However, Oligo has determined that the attackers have migrated to GitHub in order to continue their campaign as of November 10, 2025, creating multiple accounts and new repos. It remains active."
https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet
https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-convert-ray-clusters-into-crypto-miners/
https://cyberscoop.com/ray-ai-cryptojacking-vulnerability-exposed-clusters-attack-oligo-security/
https://www.theregister.com/2025/11/18/selfreplicating_botnet_ray_clusters/ - License To Encrypt: “The Gentlemen” Make Their Move
"Cybereason Threat Intelligence Team recently conducted an analysis of "The Gentlemen" ransomware group, which emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid. The group has demonstrated a unique approach by combining established ransomware techniques with newer strategies, making them quick to adapt to new attack vectors, allowing them to remain a persistent to evolving threat to organizations worldwide."
https://www.cybereason.com/blog/the-gentlemen-ransomware - Frontline Intelligence: Analysis Of UNC1549 TTPs, Custom Tools, And Malware Targeting The Aerospace And Defense Ecosystem
"Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. Since mid-2024, Mandiant has responded to targeted campaigns by the threat group UNC1549 against the aerospace, aviation and defense industries. To gain initial access into these environments, UNC1549 employed a dual approach: deploying well-crafted phishing campaigns designed to steal credentials or deliver malware and exploiting trusted connections with third-party suppliers and partners."
https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense
https://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.html
https://www.darkreading.com/cybersecurity-operations/iran-nexus-threat-actor-unc1549-takes-aim-aerospace
https://www.bankinfosecurity.com/google-finds-new-malware-backdoors-linked-to-iran-a-30063 - Analyzing The Latest Sneaky2FA Browser-In-The-Browser Phishing Page
"PhaaS kits make up the vast majority of phishing sites intercepted by Push and dominate the phishing landscape, with kits like Tycoon, NakedPages, Flowerstorm, Salty2FA, and various Evilginx variations proving very popular among attackers targeting Push customers. PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee."
https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page
https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html - Morphisec Thwarts Sophisticated Tuoni C2 Attack On U.S. Real Estate Firm
"In October 2025, Morphisec’s anti-ransomware prevention platform stopped a highly advanced cyberattack targeting a major U.S. real estate company. The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads. Notably, while Tuoni itself is a sophisticated but traditional C2 framework, the delivery mechanism showed signs of AI assistance in code generation, evident from the scripted comments and modular structure of the initial loader."
https://www.morphisec.com/blog/morphisec-thwarts-sophisticated-tuoni-c2-attack-on-us-real-estate-firm/
https://thehackernews.com/2025/11/researchers-detail-tuoni-c2s-role-in.html
https://www.infosecurity-magazine.com/news/ai-tuoni-framework-targets-us-real/ - Pro-Russian Group Claims Hits On Danish Party Websites As Voters Head To Polls
"Cyberattacks claimed by pro-Russian hackers briefly knocked offline Danish political party and government websites on the eve of local elections, officials said, adding that the incidents did not disrupt voting. Several party websites — including those of the Conservatives, the Red-Green Alliance, the Moderates and the ruling Social Democrats — were hit by distributed denial-of-service (DDoS) attacks on Monday, temporarily preventing access. DDoS attacks flood targeted servers with traffic to disrupt normal operations."
https://therecord.media/denmark-election-political-government-websites-ddos-incidents - MI5 Warns Of Chinese Spies Using LinkedIn To Gain Intel On Lawmakers
"The U.K.’s domestic security and intelligence agency warned members of the Houses of Parliament on Tuesday that Chinese spies were actively attempting to target them through LinkedIn. The alert from MI5 was circulated among politicians by the speakers of both the House of Commons and House of Lords. “This activity involves a covert and calculated attempt by a foreign power to interfere in our sovereign affairs in favour of its own interests, and this government will not tolerate it,” said Security Minister Dan Jarvis before the House of Commons on Tuesday."
https://therecord.media/mi5-warns-chinese-spies-using-linkedin-lawmakers - Breaking Down S3 Ransomware: Variants, Attack Paths And Trend Vision One
Defenses
"Ransomware has long been a persistent threat, traditionally targeting on-premises environments through tactics such as network intrusions, phishing emails, malicious attachments, and exploitation of outdated or vulnerable software. However, as organizations shift to the cloud, ransomware tactics are adapting: In cloud environments, attackers are increasingly exploiting customer misconfigured storage resources and stolen credentials. Unlike traditional ransomware that relies heavily on encryption malware, cloud-focused variants often leverage native cloud features to delete or overwrite data, suspend access, or extract sensitive content – all while staying under the radar of traditional security tools."
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html - Anatomy Of An Akira Ransomware Attack: When a Fake CAPTCHA Led To 42 Days Of Compromise
"Unit 42 recently assisted a global data storage and infrastructure company that experienced a destructive ransomware attack. This attack was orchestrated by Howling Scorpius, the distributors of Akira ransomware. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a 42-day (yes, we see the irony, too!) compromise that exposed critical gaps. This incident underscores the fact that having security tools deployed is not the same as having security coverage with full visibility into your environment."
https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/ - DigitStealer: a JXA-Based Infostealer That Leaves Little Footprint
"During analysis of executable samples collected through our in-house detection rules, Jamf Threat Labs identified a family of malicious stealers that we are tracking under the name "DigitStealer." Security experts continue to track an expanding ecosystem of these threats, and over time it became evident that most stealers share the same core objectives and follow a fairly linear path to achieve them. Occasionally, however, we see fresh techniques or creative implementations that stand out. Similar to our writeup on the Odyssey infostealer, this blog post will put focus on many of the unique traits of this newly discovered stealer."
https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/
Breaches/Hacks/Leaks
- Half a Million Stolen FTSE 100 Credentials Found On Criminal Sites
"Security experts have warned the UK’s largest companies that they’re at risk of being breached, after finding hundreds of thousands of corporate credentials on cybercrime sites. Socura teamed up with Flare to monitor “cybercrime communities” across the clear and dark web for FTSE 100 company domains. Its resulting report, FTSE 100 for Sale, revealed 460,000 compromised credentials belonging to employees at these firms. Some firms had as many as 45,000 leaked credentials, while 15 companies had more than 10,000 each. Although this is a problem across multiple sectors, financial services (70,000+) was particularly affected."
https://www.infosecurity-magazine.com/news/half-million-stolen-ftse-100/ - French Agency Pajemploi Reports Data Breach Affecting 1.2M People
"Pajemploi, the French social security service for parents and home-based childcare providers, has suffered a data breach that may have exposed personal information of 1.2 million individuals. The incident impacts registered professional caregivers working for private employers, typically parents using the Pajemploi service part of URSSAF - the French organization that collects social security contributions from employers and individuals. "The Pajemploi service has been the victim of a theft of personal data belonging to employees of private employers using the Pajemploi service," reads the announcement from the agency."
https://www.bleepingcomputer.com/news/security/french-agency-pajemploi-reports-data-breach-affecting-12m-people/ - LG Battery Subsidiary Says Ransomware Attack Targeted Overseas Facility
"One of the world’s largest battery makers confirmed it was affected by ransomware following claims made by a cybercriminal gang that the FBI spotlighted last week. A spokesperson for South Korea-based LG Energy Solution said the company recently identified an attack and is currently implementing security measures to address the situation."
https://therecord.media/lg-energy-solution-ransomware-incident-battery-maker
General News
- What Security Pros Should Know About Insurance Coverage For AI Chatbot Wiretapping Claims
"AI-powered chatbots raise profound concerns under federal and state wiretapping and eavesdropping statutes that is being tested by recent litigation, creating greater exposure to the companies and developers that use this technology. Security professionals that integrate AI-chatbots into their business face uncertainty about whether insurance will cover privacy-related claims arising from these technologies. In this Help Net Security interview, Stephanie Gee, Insurance Recovery Counsel at Reed Smith, discusses the development of these privacy claims as they pertain to AI bots and common coverage issues and solutions for security professionals as they seek to protect against these risks."
https://www.helpnetsecurity.com/2025/11/18/stephanie-gee-reed-smith-ai-chatbot-legal-risks/ - How Attackers Use Patience To Push Past AI Guardrails
"Most CISOs already assume that prompt injection is a known risk. What may come as a surprise is how quickly those risks grow once an attacker is allowed to stay in the conversation. A new study from Cisco AI Defense shows how open weight models lose their footing over longer exchanges, a pattern that raises questions about how these models should be evaluated and secured."
https://www.helpnetsecurity.com/2025/11/18/open-weight-ai-model-security/ - The Privacy Panic Around Machine Learning Is Overblown
"We often hear warnings about how machine learning (ML) models may expose sensitive information tied to their training data. The concern is understandable. If a model was trained on personal records, it may seem reasonable to assume that releasing it could reveal something about the people behind those records. A study by Josep Domingo-Ferrer examines this assumption and finds that the situation is less threatening than current discussions suggest."
https://www.helpnetsecurity.com/2025/11/18/machine-learning-privacy-risk-training-data/ - The Realities Of CISO Burnout And Exhaustion
"CISOs are facing unprecedented challenges to their mental health due to today’s rapidly evolving threat landscape. They are often held accountable if a breach or disruption occurs, and the average tenure for a CISO tends to decrease significantly after such incidents. This constant pressure makes it difficult for them to find peace, let alone get a good night’s sleep. Meanwhile, threats are increasing in speed and complexity, but budgets and board interest are starting to decline: a bad combination."
https://cyberscoop.com/ciso-burnout-mental-health-cybersecurity-exhaustion-op-ed/ - GenAI And Deepfakes Drive Digital Forgeries And Biometric Fraud
"AI technology is being adopted by fraudsters in ever growing numbers to commit new account fraud (NAF) and circumvent even biometric-based checks, according to a new report from Entrust. The security vendor analyzed data from over one billion identity verifications in 30+ sectors and 195 countries, between September 2024 and September 2025, to compile its 2026 Identity Fraud Report. It revealed that, while physical counterfeits accounted for almost half (47%) of document fraud attempts, digital forgeries now comprise over a third (35%). The latter has been driven by “the accessibility and scalability of modern editing tools” and generative AI (GenAI), which enables the creation of “hyper-realistic replicas” of identity documents, it said."
https://www.infosecurity-magazine.com/news/genai-deepfakes-digital-forgeries/ - Can a Global, Decentralized System Save CVE Data?
"The current challenges with tracking vulnerabilities, enriching reported data in a timely manner, and maintaining the collection of information calls for a revamping of the Common Vulnerabilities and Enumeration (CVE) system, according to security data analyst Jerry Gamblin. As a result, the National Vulnerability Database (NVD) — the de facto repository of data maintained by MITRE and the National Institute of Standards and Technology (NIST) — continues to lag in analyzing vulnerabilities. In the past five years, more than 155,000 identifiers have been assigned as part of the Common Vulnerabilities and Enumeration (CVE) process, but only a quarter (26%) have been analyzed and enriched with additional data, according to Gamblin's analysis, which he will present at the Black Hat Europe conference in December."
https://www.darkreading.com/cybersecurity-operations/can-global-decentralized-system-save-cve-data - Bug Bounty Programs Rise As Key Strategic Security Solutions
"Bug bounty programs have emerged as a cornerstone of modern cybersecurity strategy, fundamentally transforming how organizations approach vulnerability management and security testing. These programs offer a compelling alternative to traditional security assessments by harnessing the collective expertise of global researcher communities while increasingly becoming a key strategic security solution."
https://www.darkreading.com/cybersecurity-operations/bug-bounty-programs-rise-as-key-strategic-security-solutions - Russian Suspect Detained In Thailand Is Allegedly Tied To Void Blizzard Group
"A suspected Russian hacker arrested in Thailand earlier this month is reportedly linked to a relatively new Kremlin-aligned threat actor that has targeted government and critical infrastructure networks across Europe and North America, according to media reports. Thai police last week confirmed the detention of a “world-famous hacker” wanted by the United States for cyberattacks on government agencies. Russian state-controlled outlet RT later identified the suspect as 35-year-old Denis Obrezko, a Stavropol native who previously worked for major Russian IT firms “developing high-tech systems for domestic industries.”"
https://therecord.media/russian-arrested-thailand-allegedly-void-blizzard-apt-member
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- METZ CONNECT EWIO2
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 18 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้
- CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability
ช่องโหว่ประเภทนี้มักถูกใช้เป็นช่องทางการโจมตีโดยผู้ไม่หวังดี และก่อให้เกิดความเสี่ยงร้ายแรงต่อเครือข่ายของหน่วยงานรัฐบาลกลาง
ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 18 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-25-322-01 Schneider Electric EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio
- ICSA-25-322-02 Shelly Pro 4PM
- ICSA-25-322-03 Shelly Pro 3EM
- ICSA-25-322-04 Schneider Electric PowerChute Serial Shutdown
- ICSA-25-322-05 METZ CONNECT EWIO2
- ICSA-25-224-03 Schneider Electric EcoStruxure (Update B)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-releases-six-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 18 November 2025โพสต์ใน Cyber Security News
New Tooling
- Strix: Open-Source AI Agents For Penetration Testing
"Security teams know that application flaws tend to show up at the worst time. Strix presents itself as an open source way to catch them earlier by using autonomous agents that behave like human attackers. These agents run code, explore an application, uncover weaknesses, and prove those findings with working proof of concepts."
https://www.helpnetsecurity.com/2025/11/17/strix-open-source-ai-agents-penetration-testing/
https://github.com/usestrix/strix
Vulnerabilities
- DoorDash Email Spoofing Vulnerability Sparks Messy Disclosure Dispute
"A vulnerability in DoorDash's systems could allow anyone to send "official" DoorDash-themed emails right from company's authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious dispute has erupted between the researcher who reported the vulnerability and the company, with both sides accusing each other of acting improperly."
https://www.bleepingcomputer.com/news/security/doordash-email-spoofing-vulnerability-sparks-messy-disclosure-dispute/ - EchoGram: The Hidden Vulnerability Undermining AI Guardrails
"Large Language Models (LLMs) are increasingly protected by “guardrails”, automated systems designed to detect and block malicious prompts before they reach the model. But what if those very guardrails could be manipulated to fail? HiddenLayer researchers have uncovered EchoGram, a groundbreaking attack technique that can flip the verdicts of defensive models, causing them to mistakenly approve harmful content or flood systems with false alarms. The exploit targets two of the most common defense approaches, text classification models and LLM-as-a-judge systems, by taking advantage of how similarly they’re trained."
https://hiddenlayer.com/innovation-hub/echogram-the-hidden-vulnerability-undermining-ai-guardrails/
https://hackread.com/echogram-flaw-bypass-guardrails-major-llms/
Malware
- Defending The Cloud: Azure Neutralized a Record-Breaking 15 Tbps DDoS Attack
"On October 24, 2025, Azure DDOS Protection automatically detected and mitigated a multi-vector DDoS attack measuring 15.72 Tbps and nearly 3.64 billion packets per second (pps). This was the largest DDoS attack ever observed in the cloud and it targeted a single endpoint in Australia. By utilizing Azure’s globally distributed DDoS Protection infrastructure and continuous detection capabilities, mitigation measures were initiated. Malicious traffic was effectively filtered and redirected, maintaining uninterrupted service availability for customer workloads."
https://techcommunity.microsoft.com/blog/azureinfrastructureblog/defending-the-cloud-azure-neutralized-a-record-breaking-15-tbps-ddos-attack/4470422
https://www.bleepingcomputer.com/news/microsoft/microsoft-aisuru-botnet-used-500-000-ips-in-15-tbps-azure-ddos-attack/
https://securityaffairs.com/184749/cyber-crime/microsoft-mitigated-the-largest-cloud-ddos-ever-recorded-15-7-tbps.html
https://www.theregister.com/2025/11/17/biggest_cloud_ddos_attack_azure/ - EVALUSION Campaign Delivers Amatera Stealer And NetSupport RAT
"Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html - RONINGLOADER: DragonBreath’s New Path To PPL Abuse
"Elastic Security Labs identified a recent campaign distributing a modified variant of the gh0st RAT, attributed to the Dragon Breath APT (APT-Q-27), through trojanized NSIS installers masquerading as legitimate software such as Google Chrome and Microsoft Teams. The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market. These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL abuse."
https://www.elastic.co/security-labs/roningloader
https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html - Npm Malware Campaign Uses Adspect Cloaking To Deliver Malicious Redirects
"The Socket Threat Research Team recently discovered dino_reborn, an npm threat actor with seven packages constructing an intricate malware campaign. Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher. If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring."
https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliver-malicious-redirects
https://www.bleepingcomputer.com/news/security/malicious-npm-packages-abuse-adspect-redirects-to-evade-security/
Breaches/Hacks/Leaks
- AIPAC Discloses Data Breach, Says Hundreds Affected
"AIPAC (American Israel Public Affairs Committee) has announced a data breach linked to an external system breach that involved an unknown third-party company. The disclosure appeared in a notification submitted to the Maine attorney general’s office on November 14 2025."
https://hackread.com/aipac-data-breach-hundreds-affected/ - Eurofiber France Warns Of Breach After Hacker Tries To Sell Customer Data
"Eurofiber France disclosed a data breach it discovered late last week when hackers gained access to its ticket management system by exploiting a vulnerability and exfiltrated information. Eurofiber France SAS is the French unit of the Eurofiber Group N.V., a Dutch telecommunications service provider that operates a fiber network of 76,000 km across the Netherlands, Belgium, France, and Germany. The company specializes in providing digital infrastructure for businesses, rather than the consumer market."
https://www.bleepingcomputer.com/news/security/eurofiber-france-warns-of-breach-after-hacker-tries-to-sell-customer-data/
https://www.theregister.com/2025/11/17/eurofiber_breach/ - Princeton University Discloses Data Breach Affecting Donors, Alumni
"A Princeton University database was compromised in a cyberattack on November 10, exposing the personal information of alumni, donors, faculty members, and students. According to a FAQ page issued on Saturday, the threat actors breached Princeton's systems by targeting a University employee in a phishing attack. This allowed them to gain access to "biographical information pertaining to University fundraising and alumni engagement activities," including names, email addresses, telephone numbers, and home and business addresses stored in the compromised database."
https://www.bleepingcomputer.com/news/security/princeton-university-discloses-data-breach-affecting-donors-alumni/
https://therecord.media/princeton-donor-alumni-database-breach - Pennsylvania AG Confirms Data Breach After INC Ransom Attack
"The office of Pennsylvania's attorney general has confirmed that the ransomware gang behind an August 2025 cyberattack stole files containing personal and medical information. This comes after Attorney General Dave Sunday confirmed in early September that the incident was a ransomware attack and his office refused to pay the ransom requested by the cybercriminals after they encrypted compromised systems. "The OAG later learned that certain files may have been accessed without authorization. The OAG reviewed which data may have been involved and learned that certain personal information was contained in some files," said the Pennsylvania Office of the Attorney General (OAG) in a Friday press release."
https://www.bleepingcomputer.com/news/security/pennsylvania-ag-confirms-data-breach-after-inc-ransom-attack/
https://therecord.media/pennsylvania-attorney-general-office-data-breach-ssns - Everest Ransomware Says It Stole Data Of Millions Of Under Armour Users
"Everest ransomware gang is claiming to have breached Under Armour, Inc., the American sportswear giant, and stolen 343 GB of internal company data, employee information, along with personal data of millions from various countries. The claims were published earlier today on the group’s official dark web leak site."
https://hackread.com/everest-ransomware-under-armour-users-data/
General News
- October 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on Infostealer malware such as distribution volume, distribution methods, and disguising techniques, which were collected and analyzed for one month in October 2025. The following is a summary of the report."
https://asec.ahnlab.com/en/91062/ - October 2025 Trends Report On Phishing Emails
"This report provides the statistics, trends, and case information on the distribution of phishing emails and attachment-based threats collected and analyzed for one month in October 2025. Below is a portion of the statistics and cases included in the original report."
https://asec.ahnlab.com/en/91060/ - October 2025 APT Group Trends
"North Korea-affiliated cyber threat groups have stolen cryptocurrency, credentials, and performed reconnaissance and remote control attacks through various malware and operations. They used Node.js-based malware and a multi-stage infection chain to target both Windows and macOS environments. Through their recruitment scams, interview disguises, and industrial espionage campaigns, they intensively attacked relevant individuals in the defense, blockchain, and Web3 industries."
https://asec.ahnlab.com/en/91061/ - The Tech That Turns Supply Chains From Brittle To Unbreakable
"In this Help Net Security interview, Sev Kelian, CISO and VP of Security at Tecsys, discusses how organizations can strengthen supply chain resilience through a more unified and forward-looking strategy. Kelian also shares how new technologies and a blended view of cyber and physical risk are changing the way teams think about strategy and long-term planning."
https://www.helpnetsecurity.com/2025/11/17/sev-kelian-tecsys-supply-chain-resilience-strategy/ - Dutch Police Seizes 250 Servers Used By “bulletproof Hosting” Service
"The police in the Netherlands have seized around 250 physical servers powering a bulletproof hosting service in the country used exclusively by cybercriminals for providing complete anonymity. Politie, the police force in the Netherlands, did not name the service but said that it has been used for illicit activities since 2022, and has emerged in more than 80 cybercrime investigations, both domestic and abroad. Bulletproof hosting providers are companies that intentionally ignore abuse reports and refuse to comply with content takedowns requests from law enforcement while protecting their customers by not enforcing Know Your Customer policies."
https://www.bleepingcomputer.com/news/security/dutch-police-seizes-250-servers-used-by-bulletproof-hosting-service/ - An Uncertain Future For The Global Internet
"Global internet freedom declined for the 15th consecutive year. Of the 72 countries assessed in Freedom on the Net 2025, conditions deteriorated in 28, while 17 countries registered overall gains. Kenya experienced the most severe decline of the coverage period, after authorities responded to nationwide protests over tax policy in June 2024 by shutting down internet connectivity for around seven hours and arresting hundreds of protesters. Bangladesh earned the year’s strongest improvement, as a student-led uprising ousted the country’s repressive leadership in August 2024 and an interim government made positive reforms. China and Myanmar remained the world’s worst environments for internet freedom, while Iceland held its place as the freest online environment."
https://freedomhouse.org/report/freedom-net/2025/uncertain-future-global-internet
https://www.helpnetsecurity.com/2025/11/17/freedom-house-global-internet-freedom-decline/ - Cyber Readiness Stalls Despite Confidence In Incident Response
"Cyber readiness is stalling as over-confident teams ignore the reality that incident response times have not improved despite more spending and oversight, according to Immersive. The cyber-training vendor’s Cyber Workforce Benchmark Report 2025 is based on anonymized data collected from the Immersive One platform, simulated exercises across technical and business functions, and a readiness perception survey. A resilience score quantifies organizational readiness across skills, practices, decision-making performance, framework coverage and adaptability to new threats."
https://www.infosecurity-magazine.com/news/cyber-readiness-stalls-incident/
https://www.theregister.com/2025/11/17/immersive_cyber_resilience_report/ - Frontline Security Predictions 2026: The Battle For Reality And Control In a World Of Agentic AI
"The power and potential of agentic AI — adaptive, automated and independent — dominated security conversations during 2025. Barracuda asked four colleagues leading cyberthreat and security areas around the world, what they expect from agentic AI in 2026 and what this means for cybersecurity."
https://blog.barracuda.com/2025/11/17/frontline-security-predictions-2026-agentic-ai - Europol And Partner Countries Combat Online Radicalisation On Gaming Platforms
"Europol supported eight countries in identifying and removing racist and xenophobic propaganda shared on gaming and gaming-related platforms. The Referral Action Day, involving Denmark, Finland, Germany, Luxembourg, Netherlands, Portugal, Spain, United Kingdom, led to the referral of thousands of URLs leading to dangerous and illicit online material."
https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partner-countries-combat-online-radicalisation-gaming-platforms
https://www.theregister.com/2025/11/17/game_over_europol_storms_gaming/
https://www.infosecurity-magazine.com/news/europol-takedown-extremist-gaming/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Strix: Open-Source AI Agents For Penetration Testing
-
Microsoft เร่งตรวจสอบปัญหา KB5068781 หลังอัปเดต ESU บน Windows 10 ล้มเหลวโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ASUS แก้ไขช่องโหว่ร้ายแรง CVE-2025-59367 ในเราเตอร์ DSLโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Logitech ยืนยันเหตุข้อมูลรั่วไหล ฝีมือกลุ่มแฮกเกอร์ Clop ผ่านช่องโหว่ซอฟต์แวร์ Third-partyโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ด้านความปลอดภัยในผลิตภัณฑ์ FortiWeb แนะนำเร่งอัปเดตระบบทันทีโพสต์ใน Cyber Security News
เมื่อวันที่ 14 พฤศจิกายน 2568 Cybersecurity and Infrastructure Security Agency (CISA) มีการค้นพบช่องโหว่ด้านความปลอดภัยที่สำคัญในผลิตภัณฑ์ FortiWeb ซึ่งเป็นระบบที่ใช้ปกป้องเว็บไซต์ขององค์กรหลายแห่ง ทั้งภาครัฐและเอกชน โดยขณะนี้มีรายงานว่าแฮกเกอร์เริ่มนำช่องโหว่นี้ไปใช้โจมตีแล้ว
ช่องโหว่ดังกล่าวอาจเปิดทางให้ผู้ไม่หวังดีสามารถส่งคำสั่งไปควบคุมอุปกรณ์ได้ โดยไม่ต้องผ่านการยืนยันตัวตน ซึ่งอาจทำให้ระบบขององค์กรถูกแก้ไขหรือถูกสั่งการโดยไม่ได้รับอนุญาต
เวอร์ชันที่ได้รับผลกระทบ
- FortiWeb เวอร์ชัน 8.0.0 – 8.0.1
- FortiWeb เวอร์ชัน 7.6.0 – 7.6.4
- FortiWeb เวอร์ชัน 7.4.0 – 7.4.9
- FortiWeb เวอร์ชัน 7.2.0 – 7.2.11
- FortiWeb เวอร์ชัน 7.0.0 – 7.0.11
คำแนะนำสำหรับหน่วยงานที่ใช้งาน
เพื่อความปลอดภัยของระบบ ขอให้องค์กรดำเนินการดังต่อไปนี้โดยเร็ว:
อัปเดตระบบเป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว ตามคำแนะนำของ Fortinetเวอร์ชันเดิม แนวทางแก้ไข
8.0.0 – 8.0.1 อัปเดตเป็น 8.0.2 ขึ้นไป
7.6.0 – 7.6.4 อัปเดตเป็น 7.6.5 ขึ้นไป
7.4.0 – 7.4.9 อัปเดตเป็น 7.4.10 ขึ้นไป
7.2.0 – 7.2.11 อัปเดตเป็น 7.2.12 ขึ้นไป
7.0.0 – 7.0.11 อัปเดตเป็น 7.0.12 ขึ้นไปหากยังไม่สามารถอัปเดตได้ทันที
- ควรปิดการเข้าถึงระบบจัดการผ่านอินเทอร์เน็ตชั่วคราว
- ให้จำกัดการเข้าถึงระบบเฉพาะภายในองค์กรเท่านั้น
หลังการอัปเดต
- ตรวจสอบการตั้งค่าระบบ
- ตรวจสอบบันทึกเหตุการณ์ว่ามีการเปลี่ยนแปลงผิดปกติ หรือมีบัญชีผู้ดูแลระบบที่ไม่ได้รับอนุญาตเพิ่มขึ้นหรือไม่
ช่องโหว่ดังกล่าวถูกจัดอยู่ในรายการ “ช่องโหว่ที่พบการโจมตีจริง” โดยหน่วยงานความมั่นคงปลอดภัยไซเบอร์ของสหรัฐฯ ซึ่งสะท้อนถึงความเสี่ยงสูงและความจำเป็นในการเร่งดำเนินการป้องกันทันที
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 14 November 2025โพสต์ใน Cyber Security News
Healthcare Sector
- Healthcare Security Is Broken Because Its Systems Can’t Talk To Each Other
"In this Help Net Security interview, Cameron Kracke, CISO at Prime Therapeutics, discusses how the healthcare ecosystem can achieve cohesive security visibility. With hospitals, clinics, telehealth, and cloud partners all in the mix, maintaining visibility remains a complex task. Kracke shares how interoperability, collaboration, and strategic investment can strengthen resilience across the healthcare security landscape."
https://www.helpnetsecurity.com/2025/11/13/cameron-kracke-prime-therapecutics-healthcare-security-ecosystem/
Industrial Sector
- CISA Releases 18 Industrial Control Systems Advisories
"CISA released 18 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-releases-18-industrial-control-systems-advisories
New Tooling
- Sprout: Open-Source Bootloader Built For Speed And Security
"Sprout is an open-source bootloader that delivers sub-second boot times and uses a clean, data-driven configuration format that works across operating systems. “We built Sprout because we were frustrated by how fragile and slow traditional bootloaders are,” said Alex Zenla, CTO at Edera. Sprout is designed for modern infrastructure where every second counts. It can boot Linux in under 50 milliseconds, which is critical for autoscaling and deployment in cloud environments."
https://www.helpnetsecurity.com/2025/11/13/sprout-open-source-bootloader/
https://github.com/edera-dev/sprout
Vulnerabilities
- Firefox 145 And Chrome 142 Patch High-Severity Flaws In Latest Releases
"Google and Mozilla on Tuesday released fresh updates for Chrome and Firefox to resolve multiple high-severity vulnerabilities. Google announced a Chrome 142 update that resolves a high-severity inappropriate implementation issue in the V8 JavaScript engine. The bug is tracked as CVE-2025-13042. The internet giant has not detailed the flaw, but such V8 defects can typically be exploited remotely to cause denial-of-service (DoS) conditions or for code execution, Hong Kong CERT/CC notes. Google has yet to determine the bug bounty reward for the defect."
https://www.securityweek.com/firefox-145-and-chrome-142-patch-high-severity-flaws-in-latest-releases/ - Critical: Remote Code Execution Via Malicious Obfuscated Malware In Imunify360 AV (AI-Bolit)
"Recently a critical Remote Code Execution issue was patched in the Imunify360 AV product. Imunify360 serves up to 56 million websites. Hosting companies should patch the issue immediately. The information about this vulnerability has been spreading since the end of October, so we also recommend affected hosting companies to check whether their servers have been compromised."
https://patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360/
https://www.bleepingcomputer.com/news/security/rce-flaw-in-imunifyav-puts-millions-of-linux-hosted-sites-at-risk/ - When GPTs Call Home: Exploiting SSRF In ChatGPT’s Custom Actions
"In cybersecurity, you begin to develop a kind of hacker mindset or “sixth sense”. You start seeing the world not just for what it does, but for what it could do. So, when I was building my first custom GPT in ChatGPT and got to the “Actions” section, that sense started tingling! I wasn’t even on a bug hunt, just curious about the custom GPT feature and building a custom assistant. The goal was to have a GPT pull data from my own external API, but once I realized this feature was returning data from a user-provided URL, alarm bells went off and the hacker instinct took over, telling me to check for SSRF."
https://sirleeroyjenkins.medium.com/when-gpts-call-home-exploiting-ssrf-in-chatgpts-custom-actions-5df9df27dbe9
https://www.securityweek.com/chatgpt-vulnerability-exposed-underlying-cloud-infrastructure/
Malware
- CISA And Partners Release Advisory Update On Akira Ransomware
"Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators of compromise, tactics, techniques, and procedures, and detection methods associated with Akira ransomware activity."
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware
https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
https://therecord.media/akira-gang-received-million
https://cyberscoop.com/akira-ransomware-fbi-cisa-joint-advisory/ - “IndonesianFoods” Worm Publishes More Than 78,000 Malicious NPM Packages
"I’ve identified an NPM worm that has published over 78,000 malicious packages to the NPM registry, affecting at least eleven NPM users. This attack focuses on creating new packages rather than stealing credentials or engaging in other, more immediately malicious behaviours. This attack almost doubles the known number of malicious NPM packages."
https://sourcecodered.com/indonesianfoods-npm-worm/
https://www.endorlabs.com/learn/the-great-indonesian-tea-theft-analyzing-a-npm-spam-campaign
https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html
https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/
https://www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/
https://www.securityweek.com/tens-of-thousands-of-malicious-npm-packages-distribute-self-replicating-worm/ - Popular Android-Based Photo Frames Download Malware On Boot
"Uhale Android-based digital picture frames come with multiple critical security vulnerabilities and some of them download and execute malware at boot time. Mobile security company Quokka conducted an in-depth security assessment on the Uhale app and found behavior suggesting a connection with the Mezmess and Voi1d malware families. The researchers reported the issues to ZEASN (now ‘Whale TV’), the Chinese firm behind the Uhale platform used in the digital picture frames of numerous different brands, but received no reply to multiple notificaitions since May."
https://www.bleepingcomputer.com/news/security/popular-android-based-photo-frames-download-malware-on-boot/
https://go.quokka.io/hubfs/App-Intel/Technical_Uhale-Digital-Picture-Frame-Security-Assessment.pdf - Unleashing The Kraken Ransomware Group
"In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel. Talos observed in one intrusion that the Kraken actor exploited Server Message Block (SMB) vulnerabilities for initial access, then used tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration before encryption. Kraken is a cross-platform ransomware with distinct encryptors for Windows, Linux, and VMware ESXi, targeting a wide range of enterprise environments."
https://blog.talosintelligence.com/kraken-ransomware-group/ - Uncovering a Multi-Stage Phishing Kit Targeting Italy's Infrastructure
"Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision. Using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration, attackers harvest credentials and bypass automated detection. The findings highlight how phishing-as-a-service operations are scaling through automation, lowering technical barriers for cybercriminals, and industrializing one of the oldest yet most effective forms of digital fraud."
https://www.group-ib.com/blog/uncover-phishing-italy/
https://therecord.media/phishing-campaign-targets-italian-web-hosting-customers - We Opened a Fake Invoice And Fell Down a Retro XWorm-Shaped Wormhole
"Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat."
https://www.malwarebytes.com/blog/threats/2025/11/we-opened-a-fake-invoice-and-fell-down-a-retro-xworm-shaped-wormhole - Thousands Of Domains Target Hotel Guests In Massive Phishing Campaign
"A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com."
https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign
https://thehackernews.com/2025/11/russian-hackers-create-4300-fake-travel.html - Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
"Socket’s Threat Research Team uncovered the malicious Chrome extension Safery: Ethereum Wallet, published on November 12, 2024. Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet."
https://socket.dev/blog/malicious-chrome-extension-exfiltrates-seed-phrases
https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html
https://securityaffairs.com/184585/malware/chrome-extension-safery-steals-ethereum-wallet-seed-phrases.html - Chinese Spies Told Claude To Break Into About 30 Critical Orgs. Some Attacks Succeeded
"Chinese cyber spies used Anthropic's Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company. The mid-September operation targeted large tech companies, financial institutions, chemical manufacturers, and government agencies."
https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf - Increase In Lumma Stealer Activity Coincides With Use Of Adaptive Browser Fingerprinting Tactics
"In the wake of a targeted doxxing campaign last month that exposed the alleged core members of Lumma Stealer (which Trend Micro tracks as Water Kurita), the underground infostealer landscape experienced a significant upheaval. As detailed in Trend Research’s previous report, this exposure led to a marked decline in Lumma Stealer's activity, with many of its customers migrating to rival platforms such as Vidar and StealC. However, recent observations from our telemetry indicate a resurgence in Lumma Stealer activity, accompanied by notable changes in its command-and-control (C&C) behaviors, particularly the introduction of browser fingerprinting techniques."
https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html
Breaches/Hacks/Leaks
- Washington Post Data Breach Impacts Nearly 10K Employees, Contractors
"The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack. The news organization is one of the largest daily newspapers in the U.S. with approximately 2.5 million digital subscribers. Between July 10 and August 22, threat actors accessed parts of its network. They leveraged a vulnerability in Oracle E-Business Suite software that was a zero-day at the time to steal sensitive data."
https://www.bleepingcomputer.com/news/security/washington-post-data-breach-impacts-nearly-10k-employees-contractors/
https://cyberscoop.com/washington-post-oracle-clop-attacks/
https://www.theregister.com/2025/11/13/washington_post_clop/
General News
- Police Disrupts Rhadamanthys, VenomRAT, And Elysium Malware Operations
"Law enforcement authorities from nine countries have taken down over 1,000 servers used by the Rhadamanthys infolstealer, VenomRAT, and Elysium botnet malware operations in the latest phase of Operation Endgame, an international action targeting cybercrime. The joint action, coordinated by Europol and Eurojust, was also supported by multiple private partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender. Between 10 and 14 November 2025, police officers conducted searches at 11 locations in Germany, Greece, and the Netherlands, seized 20 domains, and took down 1,025 servers used by the targeted malware operations."
https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys
https://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defanged
https://therecord.media/operation-endgame-cybercrime-takedowns-rhadamanthys-venomrat-elysium
https://thehackernews.com/2025/11/operation-endgame-dismantles.html
https://www.bankinfosecurity.com/operation-endgame-disrupts-more-malware-a-30028
https://cyberscoop.com/operation-endgame-disrupts-global-malware-networks-rhadamanthys-venomrat-elysium/
https://www.infosecurity-magazine.com/news/operation-endgame-3-dismantles/
https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/
https://www.securityweek.com/1000-servers-hit-in-law-enforcement-takedown-of-rhadamanthys-venomrat-elysium/
https://securityaffairs.com/184581/cyber-crime/a-new-round-of-europols-operation-endgame-dismantled-rhadamanthys-venom-rat-and-elysium-botnet.html
https://www.theregister.com/2025/11/13/rhadamanthys_takedown/
https://www.helpnetsecurity.com/2025/11/13/rhadamanthys-infostealer-operation-disrupted/ - The State Of Ransomware In Q3 2025
"The ransomware landscape in Q3 2025 has reached a critical inflection point. Despite multiple law enforcement takedowns earlier in the year, ransomware attacks remain at historically high levels. Check Point Research tracked 1,592 new victims across 85 active extortion groups, marking a 25% increase year-over-year. While major brands like RansomHub and 8Base have vanished, new and smaller threat actors have rapidly filled the void, fragmenting the ransomware-as-a-service (RaaS) market more than ever before."
https://blog.checkpoint.com/research/the-state-of-ransomware-in-q3-2025/ - October 2025 Attacks Soar 30% As New Groups Redefine The Cyber Battlefield
"Near-record ransomware attacks and the rise of new threats like Sinobi highlight the need for rapid detection and response. Ransomware attacks soared to the second-highest total on record in October 2025. October’s 623 ransomware attacks were up more than 30% from September, and below only February 2025’s record totals (chart below). It was the sixth consecutive monthly increase in ransomware attacks."
https://cyble.com/blog/ransomware-attacks-surge-october-2025/ - Orgs Move To SSO, Passkeys To Solve Bad Password Habits
"New survey data indicates that organizations are pushing hard for passwordless authentication. A significant chunk of online account passwords in 2025 remain basic and easy to crack — a fact that will surprise few. But last month, Dark Reading asked readers how their organizations are handling password security these days. The results were, perhaps surprisingly, optimistic."
https://www.darkreading.com/identity-access-management-security/sso-passkeys-password-bad-habits - Wanna Bet? Scammers Are Playing The Odds Better Than You Are
"Placing a bet has never been this easy, and that’s the problem. The convenience of online gambling is the same thing scammers are cashing in on. Whether it’s a fake app, a “can’t-miss” tipster, or a rigged casino, the game is stacked against you. By 2030, the online gambling market is projected to reach around $169 billion. 22 percent of Americans, including 48 percent of men ages 18 to 49, have an account with at least one online sportsbook."
https://www.helpnetsecurity.com/2025/11/13/cybercrime-online-betting-scams/ - Automation Can’t Fix Broken Security Basics
"Most enterprises continue to fall short on basic practices such as patching, access control, and vendor oversight, according to Swimlane’s Cracks in the Foundation: Why Basic Security Still Fails report. Leadership often focuses on broad resilience goals while the day-to-day work that supports them remains inconsistent and underfunded."
https://www.helpnetsecurity.com/2025/11/13/swimlane-security-basics-still-broken-report/ - When Attacks Come Faster Than Patches: Why 2026 Will Be The Year Of Machine-Speed Security
"Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race between attackers and defenders. Both sides monitor the same feeds, but one moves at machine speed while the other moves at human speed."
https://thehackernews.com/2025/11/when-attacks-come-faster-than-patches.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Healthcare Security Is Broken Because Its Systems Can’t Talk To Each Other
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 18 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 18 รายการ เมื่อวันที่ 13 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
ICSA-25-317-01 Mitsubishi Electric MELSEC iQ-F Series
ICSA-25-317-02 AVEVA Application Server IDE
ICSA-25-317-03 AVEVA Edge
ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control
ICSA-25-317-05 Rockwell Automation Verve Asset Manager
ICSA-25-317-06 Rockwell Automation Studio 5000 Simulation Interface
ICSA-25-317-07 Rockwell Automation FactoryTalk DataMosaix Private Cloud
ICSA-25-317-08 General Industrial Controls Lynx+ Gateway
ICSA-25-317-09 Rockwell Automation FactoryTalk Policy Manager
ICSA-25-317-10 Rockwell Automation AADvance-Trusted SIS Workstation
ICSA-25-317-11 Siemens SICAM P850 family and SICAM P855 family
ICSA-25-317-12 Siemens Spectrum Power 4
ICSA-25-317-13 Siemens LOGO! 8 BM Devices
ICSA-25-317-14 Siemens Solid Edge
ICSA-25-317-15 Siemens COMOS
ICSA-25-317-16 Siemens Altair Grid Engine
ICSA-25-317-17 Siemens Software Center and Solid Edge
ICSA-25-273-04 Festo Controller CECC-S,-LK,-D Family Firmware (Update A)CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-releases-18-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand