โพสต์ถูกสร้างโดย NCSA_THAICERT

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์อย่างใกล้ชิด และพบว่า Adobe ได้ออกอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงหลายรายการ ซึ่งส่งผลกระทบต่อผลิตภัณฑ์ที่มีการใช้งานอย่างแพร่หลายในหน่วยงานภาครัฐ ภาคเอกชน และองค์กรขนาดใหญ่ หากยังคงใช้งานเวอร์ชันที่ได้รับผลกระทบโดยไม่ทำการแก้ไข อาจเปิดโอกาสให้ผู้ไม่หวังดีใช้เป็นช่องทางโจมตีระบบ และควบคุมเซิร์ฟเวอร์จากระยะไกลได้

รายละเอียดช่องโหว่ที่สำคัญ

Adobe ColdFusion
• CVE-2025-61809 (CVSS 9.8)
เป็นช่องโหว่ด้านการตรวจสอบข้อมูลนำเข้าที่ไม่เหมาะสม (Improper Input Validation) ผู้โจมตีสามารถส่งข้อมูลที่ถูกปรับแต่งเป็นพิเศษ (Malicious Input) เพื่อหลีกเลี่ยงมาตรการความปลอดภัย และเข้าถึง อ่าน หรือเขียนข้อมูลภายในระบบได้ ซึ่งอาจนำไปสู่การโจมตีแบบ Remote Code Execution (RCE)
• CVE-2025-61808 (CVSS 9.1)
เป็นช่องโหว่ที่เกี่ยวข้องกับกระบวนการอัปโหลดไฟล์ ซึ่งผู้โจมตีที่มีสิทธิ์ระดับสูงสามารถอาศัยช่องโหว่นี้เพื่ออัปโหลดไฟล์อันตราย และนำไปสู่การเรียกใช้โค้ดโดยไม่ได้รับอนุญาต
Adobe Experience Manager (AEM)
• CVE-2025-64537 และ CVE-2025-64539 (CVSS 9.3)
เป็นช่องโหว่ประเภท DOM-based Cross-Site Scripting (XSS) หากถูกโจมตีสำเร็จ ผู้ไม่หวังดีสามารถแทรกสคริปต์อันตรายลงในเว็บแอปพลิเคชัน และหลอกให้ผู้ใช้งานเรียกใช้งานโค้ดดังกล่าว ส่งผลให้ข้อมูลผู้ใช้งานถูกขโมย หรือถูกนำไปใช้โจมตีได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
Adobe ColdFusion
• ColdFusion 2021 – Update 22 และเวอร์ชันก่อนหน้า
• ColdFusion 2023 – Update 16 และเวอร์ชันก่อนหน้า
• ColdFusion 2025 – Update 4 และเวอร์ชันก่อนหน้า
Adobe Experience Manager (AEM)
• AEM Cloud Service (CS)
• AEM 6.5 LTS
• AEM 6.5.23 และเวอร์ชันก่อนหน้า

แนวทางการตรวจสอบและการป้องกัน

1. ผู้ดูแลระบบควรตรวจสอบเวอร์ชันของ Adobe ColdFusion และ Adobe Experience Manager (AEM) ที่ใช้งานอยู่ในปัจจุบัน เพื่อประเมินว่าระบบเข้าข่ายได้รับผลกระทบจากช่องโหว่หรือไม่ โดยให้ความสำคัญกับระบบที่เปิดให้บริการผ่านเครือข่ายอินเทอร์เน็ต
2. แนะนำให้ดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดตามคำแนะนำของ Adobe โดยเร็วที่สุด เนื่องจากเป็นแนวทางการแก้ไขที่มีประสิทธิภาพสูงสุด และสามารถขจัดความเสี่ยงจากช่องโหว่ได้อย่างถาวร

กรณียังไม่สามารถอัปเดตได้ทันที ดำเนินการดังนี้

1. ใช้มาตรการป้องกันผ่าน Web Application Firewall เพื่อช่วยตรวจจับและบล็อกคำขอที่มีพฤติกรรมผิดปกติ โดยเฉพาะคำขอที่เกี่ยวข้องกับการอัปโหลดไฟล์ต้องสงสัย การโจมตีแบบ Remote Code Execution และ Cross-Site Scripting
2. ตรวจสอบ Log ของ Web Server, Application Server รวมถึง ColdFusion และ AEM เพื่อค้นหาพฤติกรรมที่อาจบ่งชี้ถึงการโจมตีหรือการพยายามเข้าถึงระบบโดยไม่ได้รับอนุญาต
3. พิจารณาปิดหรือจำกัดฟังก์ชันที่ไม่จำเป็นต่อการให้บริการ เช่น ฟังก์ชันอัปโหลดไฟล์ หรือ Module และ Plugin ที่ไม่ได้ใช้งาน พร้อมทั้งตรวจสอบและลดสิทธิ์ของบัญชีผู้ใช้งานให้เป็นไปตามหลัก Least Privilege
4. ผู้ดูแลระบบควรสำรองข้อมูลระบบและข้อมูลสำคัญอย่างสม่ำเสมอ และเตรียมแผนการตอบสนองเหตุการณ์ เพื่อให้สามารถดำเนินการได้อย่างรวดเร็ว หากตรวจพบการโจมตีหรือเหตุผิดปกติ

สำหรับผู้ใช้งานทั่วไป
ผู้ใช้งานระบบภายในองค์กรควรหลีกเลี่ยงการคลิกลิงก์หรือเปิดไฟล์จากแหล่งที่ไม่ทราบที่มา และแจ้งผู้ดูแลระบบทันที หากพบพฤติกรรมระบบผิดปกติ เช่น ระบบทำงานช้าลง หรือมีข้อความแจ้งเตือนที่ไม่คุ้นเคย

ที่มา:
1.https://csa.gov.sg/alerts-and-advisories/alerts/al-2025-119/
2.https://nvd.nist.gov/vuln/detail/CVE-2025-61808
3.https://nvd.nist.gov/vuln/detail/CVE-2025-61809
4.https://nvd.nist.gov/vuln/detail/CVE-2025-64537
5.https://nvd.nist.gov/vuln/detail/CVE-2025-64539

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#AdobePatch
#ColdFusion
#AEM
#CVE2025
#CyberSecurity
#ThaiCERT
#ช่องโหว่Adobe

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ThaiCERT แจ้งเตือนกรณีพบการโจมตีจริงโดยใช้ช่องโหว่ 2 รายการของ Apple มีความเสี่ยงที่จะถูกยึดหรือควบคุมอุปกรณ์ แนะนำอัปเดตเป็น iOS/iPadOS 26.2, macOS Tahoe 26.2 หรือเวอร์ชันล่าสุดอื่น ๆ ที่เกี่ยวข้องทันที

️รายละเอียดของช่องโหว่
•CVE-2025-43529 เป็นช่องโหว่ประเภท Use-after-free ใน WebKit ที่อาจทำให้ผู้โจมตีสามารถรันโค้ดจากระยะไกล (Remote Code Execution) ได้
เมื่อผู้ใช้เปิดเว็บที่ถูกออกแบบมาเป็นพิเศษ
•CVE-2025-14174 เป็นช่องโหว่ Memory Corruption ซึ่งอาจทำให้เกิดการจัดการหน่วยความจำผิดพลาด ผ่านการประมวลผลเนื้อหาเว็บที่เป็นอันตราย

อุปกรณ์ที่ได้รับผลกระทบและเวอร์ชันที่ได้รับการแก้ไข

อุปกรณ์ที่ได้รับผลกระทบ
-iPhone 11 และรุ่นที่ใหม่กว่า
-iPad Pro ขนาด 12.9 นิ้ว (รุ่นที่ 3 และรุ่นที่ใหม่กว่า)
-iPad Pro 11 นิ้ว (รุ่นที่ 1 และรุ่นต่อๆ มา)
-iPad Air (รุ่นที่ 3 และรุ่นที่ใหม่กว่า)
-iPad (รุ่นที่ 8 ขึ้นไป)
-iPad mini (รุ่นที่ 5 ขึ้นไป)

Apple ได้เผยแพร่อัปเดตด้านความมั่นคงปลอดภัยเพื่อแก้ไขช่องโหว่ในผลิตภัณฑ์ โดยเวอร์ชันที่ได้รับการแก้ไขดังนี้
-iOS 26.2 และ iPadOS 26.2
-iOS 18.7.3 และ iPadOS 18.7.3
-macOS Tahoe 26.2
-tvOS 26.2
-watchOS 26.2
-visionOS 26.2
-Safari 26.2 สำหรับ macOS Sonoma และ macOS Sequoia

️แนวทางการป้องกันและลดความเสี่ยง
· อัปเดตระบบปฏิบัติการและ Safari ให้เป็นเวอร์ชันล่าสุดโดยทันที
· เฝ้าระวังการใช้งานที่ผิดปกติของอุปกรณ์ โดยเฉพาะการเข้าชมเว็บไซต์การเชื่อมต่อเครือข่าย
และการทำงานของเบราว์เซอร์
· สำหรับองค์กรให้บังคับใช้นโยบายการอัปเดตแพตช์ ครอบคลุมอุปกรณ์ผู้ใช้งานทั้งหมดภายใต้
การดูแล และไม่ควรอนุญาตให้เลื่อนการติดตั้งแพตช์ด้านความมั่นคงปลอดภัย

รีบอัปเดตซอฟต์แวร์ทุกอุปกรณ์ Apple อย่าช้า! เพื่อความปลอดภัยของท่าน

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา
1.https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-117/
2.https://nvd.nist.gov/vuln/detail/CVE-2025-14174
3.https://support.apple.com/en-us/100100
4.https://coesecurity.com/apple-patches-two-webkit-zero-days-actively-exploited-in-sophisticated-attacks/

รายงานสถานการณ์ความปลอดภัยไซเบอร์: พบการโจมตีระลอกใหม่พุ่งเป้าไปที่ระบบ Gogs (Self-hosted Git Service ยอดนิยม) ผ่านช่องโหว่ระดับวิกฤตที่ยังไม่มีแพตช์แก้ไขสมบูรณ์ ส่งผลให้เซิร์ฟเวอร์กว่า 700 แห่งทั่วโลกถูกเจาะระบบแล้ว ผู้ดูแลระบบต้องรีบดำเนินการป้องกันทันที

สรุปสถานการณ์ (Executive Summary)
• CVE ID: CVE-2025-8110
• ความรุนแรง (CVSS): 8.7 (High) - Critical
• สถานะ: Active Exploitation (มีการโจมตีจริงอย่างแพร่หลาย)
• ผลกระทบ: ผู้โจมตีสามารถรันโค้ดจากระยะไกล (RCE) และยึดครองเครื่องเซิร์ฟเวอร์ได้เบ็ดเสร็จ
• สาเหตุ: การจัดการไฟล์ Symbolic Link ที่ไม่ปลอดภัยใน API ทำให้เกิดช่องโหว่ Path Traversal

รายละเอียดทางเทคนิค: เมื่อ "แพตช์เก่า" เอาไม่อยู่
ช่องโหว่นี้ถือเป็น Bypass Vulnerability หรือการหลบเลี่ยงมาตรการป้องกันเดิม โดยก่อนหน้านี้ Gogs ได้พยายามแก้ไขช่องโหว่ CVE-2024-55947 เพื่อป้องกันการเข้าถึงไฟล์ข้าม Directory แล้ว แต่การตรวจสอบดังกล่าวยังมีจุดอ่อนที่ "ไม่ได้ตรวจสอบ Symbolic Links (Symlinks) อย่างถูกต้อง"
กระบวนการโจมตี (Attack Chain):

1. Infiltration: ผู้โจมตีสมัครสมาชิกเข้ามาสร้าง Repository ใหม่ (มักทำผ่านระบบ Open Registration ที่เปิดสาธารณะ)
2. Preparation: ทำการ Commit ไฟล์ที่เป็น Symlink ซึ่งชี้เป้าไปยังไฟล์สำคัญของระบบ (เช่น ไฟล์ Config)
3. Execution: เรียกใช้ PutContents API เพื่อเขียนข้อมูลลงใน Symlink นั้น ระบบของ Gogs จะตรวจสอบแค่ชื่อไฟล์ใน Repo (ซึ่งดูปกติ) แต่เมื่อระบบปฏิบัติการเขียนไฟล์จริง จะเขียนทะลุไปยังปลายทางที่ Symlink ชี้ไว้
4. Takeover: ผู้โจมตีมักเลือกเขียนทับไฟล์ .git/config ในส่วน sshCommand เพื่อสั่งให้เซิร์ฟเวอร์รันคำสั่งอันตราย จนนำไปสู่การยึดเครื่อง (RCE)

ความเสียหายที่ตรวจพบ (Impact & Indicators)
จากการตรวจสอบเซิร์ฟเวอร์ที่ตกเป็นเหยื่อ พบพฤติกรรมของกลุ่มแฮกเกอร์ดังนี้:
• การฝังมัลแวร์: มีการติดตั้งมัลแวร์ Supershell (C2 Framework) โดยซ่อนตัวผ่านเทคนิค Obfuscation และบีบอัดด้วย UPX
• การเชื่อมต่อภายนอก: เครื่องเหยื่อจะสร้าง Reverse SSH Shell เชื่อมต่อกลับไปยัง C2 Server ของแฮกเกอร์ เพื่อรอรับคำสั่งควบคุม
สัญญาณบ่งชี้ว่าคุณอาจถูกโจมตี (IoCs - Indicators of Compromise):

1. Repository แปลกปลอม: มี Repo ชื่อเป็นตัวอักษรภาษาอังกฤษสุ่ม 8 ตัว (เช่น IV79VAew, Km4zoh4s) ที่ถูกสร้างขึ้นช่วง ก.ค. 2025 เป็นต้นมา
2. Traffic ต้องสงสัย: ตรวจสอบ Firewall Log พบการเชื่อมต่อออกไปยัง IP: 119.45.176[.]196
3. ไฟล์ Config ผิดปกติ: ไฟล์ .git/config มีบรรทัด sshCommand แทรกเข้ามา

คำแนะนำและวิธีแก้ไขด่วน (Mitigation)
เนื่องจาก ณ ปัจจุบัน (ธ.ค. 2025) ยังไม่มีแพตช์ Official ที่สมบูรณ์ ผู้ดูแลระบบ ต้อง ดำเนินการดังนี้ทันที:

1. ปิดประตูบ้าน (มาตรการเร่งด่วนที่สุด)
   • Disable Open Registration: ปิดระบบให้คนทั่วไปสมัครสมาชิกได้เองทันที เพื่อตัดวงจรการสร้าง User มาโจมตี
   o วิธีทำ: แก้ไขไฟล์ custom/conf/app.ini ตั้งค่า ENABLE_REGISTRATION = false หรือ DISABLE_REGISTRATION = true
   • จำกัดการเข้าถึง (Network Segmentation): ห้ามนำ Gogs ต่อตรงกับอินเทอร์เน็ตสาธารณะ ควรใช้งานผ่าน VPN หรือกำหนด IP Allow-list เท่านั้น
2. เปลี่ยนระบบยืนยันตัวตน
   • หากจำเป็นต้องใช้งานหลายคน ให้เปลี่ยนไปใช้ SSO หรือ LDAP แทนการให้สมัครเอง
3. การเฝ้าระวัง
   • หมั่นตรวจสอบ GitHub Release ของ Gogs เพื่อรออัปเดตเวอร์ชันใหม่กว่า 0.13.3 ทันทีที่ออกมา
   • หากต้องการความปลอดภัยสูง อาจพิจารณาเปลี่ยนไปใช้ Gitea ซึ่งเป็น Fork ที่มีการอัปเดตความปลอดภัยสม่ำเสมอกว่า

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

New Tooling

• Prometheus: Open-Source Metrics And Monitoring Systems And Services
  "Prometheus is an open-source monitoring and alerting system built for environments where services change often and failures can spread fast. For security teams and DevOps engineers, it has become a common way to track system behavior, spot early warning signs, and understand what is happening across large sets of workloads."
  https://www.helpnetsecurity.com/2025/12/15/prometheus-open-source-metrics-monitoring-systems-services/
  https://github.com/prometheus/prometheus

Vulnerabilities

• Atlassian Patches Critical Apache Tika Flaw
  "Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws. The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika. Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December. It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE)."
  https://www.securityweek.com/atlassian-patches-critical-apache-tika-flaw/
  https://securityaffairs.com/185710/security/atlassian-fixed-maximum-severity-flaw-cve-2025-66516-in-apache-tika.html
• FreePBX Patches Critical SQLi, File-Upload, And AUTHTYPE Bypass Flaws Enabling RCE
  "Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below -"
  https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
  CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/185716/hacking/u-s-cisa-adds-apple-and-gladinet-centrestack-and-triofox-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Frogblight Threatens You With a Court Case: a New Android Banker Targets Turkish Users
  "In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed “Frogblight”. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages."
  https://securelist.com/frogblight-banker/118440/
• Threats Behind The Mask Of Gentlemen Ransomware
  "Gentlemen is a new ransomware group first identified around August 2025. The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims. During the breach, the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD). As of now, there is no clear evidence that the group is operating on a Ransomware as a Service (RaaS) model. Additionally, it is yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group."
  https://asec.ahnlab.com/en/91545/
• SantaStealer Is Coming To Town: A New, Ambitious Infostealer Advertised On Underground Forums
  "Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.” The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP."
  https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
  https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/
• Askul Confirms Theft Of 740k Customer Records In Ransomware Attack
  "Japanese e-commerce giant Askul Corporation has confirmed that RansomHouse hackers stole around 740,000 customer records in the ransomware attack it suffered in October. Askul is a large business-to-business and business-to-consumer office supplies and logistics e-commerce company owned by Yahoo! Japan Corporation. The ransomware incident in October caused an IT system failure, forcing the company to suspend shipments to customers, including the retail giant Muji."
  https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/
• Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
  "On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress."
  https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
  https://www.bleepingcomputer.com/news/security/google-links-more-chinese-hacking-groups-to-react2shell-attacks/
  https://www.bankinfosecurity.com/nation-state-cybercrime-exploits-tied-to-react2shell-a-30285
  https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/
  https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/
• GitHub Scanner For React2Shell (CVE-2025-55182) Turns Out To Be Malware
  "A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. Saurabh, a cybersecurity researcher, flagged the now-deleted tool on LinkedIn last week after identifying suspicious behaviour in the code. According to his post, the script included a hidden payload designed to execute mshta.exe and fetch a remote file from py-installer.cc, a known technique used to drop second-stage malware."
  https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/
• Operation MoneyMount-ISO — Deploying Phantom Stealer Via ISO-Mounted Executables
  "At Seqrite Labs, we continuously monitor global cyber threat activity. During ongoing threat monitoring, the Seqrite Labs Researcher Team identified an active phishing campaign originating from Russia. This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain. The attack initiates with a social engineering email masquerading as a legitimate financial correspondence, claiming to confirm a payment transaction. The email contains a malicious ZIP archive, which, when opened, triggers the execution of the payload."
  https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/
  https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html
  https://www.infosecurity-magazine.com/news/russian-phishing-phantom-stealer/
• 8 Million Users' AI Conversations Sold For Profit By "Privacy" Extensions
  "A few weeks ago, I was wrestling with a major life decision. Like I've grown used to doing, I opened Claude and started thinking out loud-laying out the options, weighing the tradeoffs, asking for perspective. Midway through the conversation, I paused. I realized how much I'd shared: not just this decision, but months of conversations-personal dilemmas, health questions, financial details, work frustrations, things I hadn't told anyone else. I'd developed a level of candor with my AI assistant that I don't have with most people in my life. And then an uncomfortable thought: what if someone was reading all of this?"
  https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
  https://thehackernews.com/2025/12/featured-chrome-browser-extension.html
• Amazon Threat Intelligence Identifies Russian Cyber Threat Group Targeting Western Critical Infrastructure
  "As we conclude 2025, Amazon Threat Intelligence is sharing insights about a years-long Russian state-sponsored campaign that represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined. This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure."
  https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
  https://www.theregister.com/2025/12/15/amazon_ongoing_gru_campaign/
• GOLD SALEM Tradecraft For Deploying Warlock Ransomware
  "In mid-August 2025, Counter Threat Unit (CTU) researchers identified the use of the legitimate Velociraptor digital forensics and incident response (DFIR) tool in likely ransomware precursor activity. Subsequent investigation and analysis of events in customer environments led CTU researchers to assess with high confidence that these incidents occurred with intent to deploy Warlock ransomware, which is operated by the GOLD SALEM cybercrime group."
  https://news.sophos.com/en-us/2025/12/11/gold-salem-tradecraft-for-deploying-warlock-ransomware/

Breaches/Hacks/Leaks

• PornHub Extorted After Hackers Steal Premium Member Activity Data
  "Adult video platform PornHub is being extorted by the ShinyHunters extortion gang after the search and watch history of its Premium members was reportedly stolen in a recent Mixpanel data breach. Last week, PornHub disclosed that it was impacted by a recent breach at analytics vendor Mixpanel. Mixpanel suffered a breach on November 8th, 2025, after an SMS phishing (smishing) attack enabled threat actors to compromise its systems. "A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users," reads a PornHub security notice posted on Friday."
  https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/
• 700Credit Data Breach Impacts 5.8 Million Vehicle Dealership Customers
  "700Credit, a U.S.-based financial services and fintech company, will start notifying more than 5.8 million people that their personal information has been exposed in a data breach incident. The cyberattack occurred after a threat actor had breached one of 700Credit's integration partners in July and discovered an API for obtaining customer information. However, the partner did not inform 700Credit of the compromise."
  https://www.bleepingcomputer.com/news/security/700credit-data-breach-impacts-58-million-vehicle-dealership-customers/
  https://therecord.media/data-breaches-affecting-20-million-prosper-700credit
  https://www.securityweek.com/700credit-data-breach-impacts-5-8-million-individuals/
  https://securityaffairs.com/185692/data-breach/u-s-fintech-and-data-services-firm-700credit-suffered-a-data-breach-impacting-at-least-5-6-million-people.html
• Youth Sports, NCAA Insurance Claims Potentially Hacked
  "A Maine-based third-party administrator that handles healthcare claims involving day care centers, youth sports and NCAA athlete accidents is notifying more than 181,000 claimants that their medical information and personal identifiers may have been accessed or stolen in an April hacking incident. National Accident Health General Agency, or NAHGA, describes itself as a third-party administrator that focuses on secondary accident insurance claims processing for clients across the country."
  https://www.bankinfosecurity.com/youth-sports-ncaa-insurance-claims-potentially-hacked-a-30292
• Jaguar Land Rover Confirms Staff Data Stolen In Cyberattack
  "British car manufacturer Jaguar Land Rover (JLR) has confirmed data belonging to current and former employees was compromised in a cyberattack that struck in August. The announcement is the first time the company has provided any details about the attack, which halted production for more than a month, ultimately leaving JLR short of more than $890 million."
  https://therecord.media/jaguar-land-rover-confirms-staff-data-stolen-cyberattack
  https://www.theregister.com/2025/12/15/jlr_payroll_data_stolen_in/
• SoundCloud Confirms Breach After Member Data Stolen, VPN Access Disrupted
  "Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors. In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures."
  https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/

General News

• Europe’s DMA Raises New Security Worries For Mobile Ecosystems
  "Mobile security has long depended on tight control over how apps and services interact with a device. A new paper from the Center for Cybersecurity Policy and Law warns that this control may weaken as the European Union’s Digital Markets Act pushes mobile platforms to open core functions to outside developers. The report explains that the DMA requires large platform providers to support free interoperability with mobile hardware and software features that sit deep in the operating system. These internal functions were never designed for open access. This single requirement introduces a set of risks that grow as more system components are exposed."
  https://www.helpnetsecurity.com/2025/12/15/eu-dma-mobile-security-risks/
  https://cdn.prod.website-files.com/660ab0cd271a25abeb800460/692f22683cc0c02728db52bb_Europe_DMA_All_120325.pdf
• How Researchers Are Teaching AI Agents To Ask For Permission The Right Way
  "People are starting to hand more decisions to AI agents, from booking trips to sorting digital files. The idea sounds simple. Tell the agent what you want, then let it work through the steps. The hard part is what the agent does with personal data along the way. A new research study digs into this problem, and asks a basic question. How should an AI agent know when to use someone’s data without asking every time?"
  https://www.helpnetsecurity.com/2025/12/15/research-ai-agent-permissions/
  https://arxiv.org/pdf/2511.17959
• From Fake Deals To Phishing: The Most Effective Christmas Scams Of 2025
  "As the season of giving unfolds, cyber criminals are taking advantage of holiday stress and speed. In 2025, scams are not only more common, they’re powered by AI and automation, making them harder to spot. Researchers at Check Point detected 33,502 Christmas-themed phishing emails in the past two weeks alone, along with more than 10,000 fake advertisements being created daily on social media channels. Many mimic festive promotions, while others push fake Walmart or Home Depot deals, fraudulent charity appeals, and urgent delivery notices."
  https://blog.checkpoint.com/research/from-fake-deals-to-phishing-the-most-effective-christmas-scams-of-2025/
• Think Like An Attacker: Cybersecurity Tips From Cato Networks' CISO
  "Welcome to Dark Reading's Heard it From a CISO video series, which offers advice on breaking into and advancing within the cybersecurity field from those who have been there. Cybersecurity is a field that touches every aspect of modern life, from personal privacy to global business operations. In Dark Reading's latest episode, Etay Mayor, chief security strategist at Cato Networks and professor at Boston College, shares his journey, expertise, and advice for those interested in entering this ever-evolving domain."
  https://www.darkreading.com/cybersecurity-operations/cybersecurity-tips-cato-networks-ciso
• The 2025 Cloudflare Radar Year In Review: The Rise Of AI, Post-Quantum, And Record-Breaking DDoS Attacks
  "The 2025 Cloudflare Radar Year in Review is here: our sixth annual review of the Internet trends and patterns we observed throughout the year, based on Cloudflare’s expansive network view. Our view is unique, due to Cloudflare’s global network, which has a presence in 330 cities in over 125 countries/regions, handling over 81 million HTTP requests per second on average, with more than 129 million HTTP requests per second at peak on behalf of millions of customer Web properties, in addition to responding to approximately 67 million (authoritative + resolver) DNS queries per second."
  https://blog.cloudflare.com/radar-2025-year-in-review/
  https://www.helpnetsecurity.com/2025/12/15/cloudflare-internet-trends-2025/
• Militant Groups Are Experimenting With AI, And The Risks Are Expected To Grow
  "As the rest of the world rushes to harness the power of artificial intelligence, militant groups also are experimenting with the technology, even if they aren’t sure exactly what to do with it. For extremist organizations, AI could be a powerful tool for recruiting new members, churning out realistic deepfake images and refining their cyberattacks, national security experts and spy agencies have warned. Someone posting on a pro-Islamic State group website last month urged other IS supporters to make AI part of their operations. “One of the best things about AI is how easy it is to use,” the user wrote in English."
  https://www.securityweek.com/militant-groups-are-experimenting-with-ai-and-the-risks-are-expected-to-grow/
• Analyzing Partially Encrypted Network Flows With Mid-Encryption
  "Encrypted traffic has come to dominate network flows, which makes it difficult for traditional flow monitoring tools to maintain visibility. This is particularly true when the process to enable encryption occurs after an initial data exchange, causing the encryption attributes to be missed. In this blog post we take a closer look at a new feature added to CERT’s Yet Another Flowmeter tool (YAF) to capture the attributes of encryption when it occurs after the start of the session. We call this mid-encryption. We explore what mid-encryption means, why it matters, how it works within YAF, and what benefits this brings to traffic analysis and network security teams."
  https://www.sei.cmu.edu/blog/analyzing-partially-encrypted-network-flows-with-mid-encryption/
• The 2025 ITRC Consumer Impact Report: A New Era Of Identity Crime
  "Founded in 1999, the Identity Theft Resource Center (ITRC) is a national nonprofit dedicated to empowering and guiding consumers, victims, businesses and government agencies to minimize risk and mitigate the impact of identity compromise and crime. The ITRC provides free victim assistance and consumer education through its website, live chat and toll-free phone support. It also tracks data breaches and offers resources for both individuals and businesses to stay informed and protected, including an annual report on the previous year’s trends in identity theft and data breaches. The 2025 ITRC Consumer Impact Report was published recently, and its tone is markedly more urgent than previous years’ reports."
  https://blog.barracuda.com/2025/12/15/2025-irtc-consumer-impact-report-new-era-identity-crime
  https://www.idtheftcenter.org/publication/itrc-2025-consumer-impact-report/
• Third DraftKings Hacker Pleads Guilty
  "Nathan Austad is the third individual to plead guilty to launching a credential stuffing attack against a fantasy sports and betting website, the DoJ announced. Austad, 21, of Farmington, Minnesota, also known as ‘Snoopy’, admitted in court to his role in a scheme to hack thousands of user accounts and sell access to them to drain their funds. According to documents and statements presented in court, Austad and his co-conspirators compromised over 60,000 user accounts at the betting website."
  https://www.securityweek.com/third-draftkings-hacker-pleads-guilty/
• CERT-FR Recommends Completely Deactivate Wi-Fi Whenever It’s Not In Use
  "The CERT-FR (French Computer Emergency Response Team) is advising iPhone and Android users to fully disable Wi-Fi to reduce risk. CERT-FR warns iPhone and Android users to fully disable Wi-Fi to reduce exposure, citing multiple vulnerabilities across wireless interfaces, apps, OSs, and even hardware. The agency reiterates basic hygiene: install apps only from official stores, review permissions, keep devices updated and rebooted, use a VPN on public Wi-Fi, and disable auto-join on open networks."
  https://securityaffairs.com/185702/hacking/cert-fr-recommends-completely-deactivate-wi-fi-whenever-its-not-in-use.html
• The Budget Effect Of a Security Incident
  "As sophisticated cyber-attacks increasingly target SaaS data, both vendors and customers are pushing to increase investments in SaaS security. Vendors are dedicating substantial resources to product development, incident communication and customer outreach. Simultaneously, many customers are elevating SaaS security conversations to their CISOs and Information Security (InfoSec) teams. Others are still considering their options and their risk appetites."
  https://www.infosecurity-magazine.com/blogs/the-budget-effect-of-a-security/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Money Mules Require Banks To Switch From Defense To Offense
  "QUESTION: How can security and fraud teams identify money mules? Jonathan Frost, director of global advisory for EMEA, BioCatch: The Financial Conduct Authority's (FCA) review of the UK's National Fraud Database (NFD) revealed 194,000 money mule accounts were offboarded between January 2022 and September 2023. Only 37% of mules were reported to the NFD (operated by Cifas) last year."
  https://www.darkreading.com/threat-intelligence/money-mules-require-banks-to-switch-from-defense-to-offense

Telecom Sector

• Uneven Regulatory Demands Expose Gaps In Mobile Security
  "Mobile networks carry a great deal of the world’s digital activity, which makes operators a frequent target for attacks. A study released by the GSMA shows that operators spend between $15 and $19 billion a year on core cybersecurity functions. Spending could reach more than $40 billion by 2030. These figures do not include expenses tied to resilience, training, or governance. Security teams face attack volumes that exceed anything planned for a decade ago. Some operators record billions of attempts each year to scan for weaknesses or push malicious traffic into their networks. Outages linked to denial of service attacks remain common, and attempts to gain unauthorized access continue to rise."
  https://www.helpnetsecurity.com/2025/12/12/gsma-mobile-network-security-pressures-report/

Vulnerabilities

• Apple Fixes Two Zero-Day Flaws Exploited In 'sophisticated' Attacks
  "Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," reads Apple's security bulletin."
  https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/
  https://support.apple.com/en-us/125884
  https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html
  https://securityaffairs.com/185628/hacking/emergency-fixes-deployed-by-google-and-apple-after-targeted-attacks.html
• New React RSC Vulnerabilities Enable DoS And Source Code Exposure
  "The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in the wild."
  https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html
  https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/
• React2Shell Exploitation Escalates Into Large-Scale Global Attacks, Forcing Emergency Mitigation
  "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK."
  https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
• Free Micropatches For Windows Remote Access Connection Manager DoS (0day)
  "During our investigation of CVE-2025-59230, a Windows Remote Access Connection Manager elevation of privilege vulnerability that was patched by Microsoft with October 2025 Windows updates, we found an exploit for it that nicely demonstrated local arbitrary code execution as Local System when launched as a non-admin Windows user. Interestingly though, this exploit - while exploiting CVE-2025-59230 - also included an exploit for another vulnerability that turned out to have remained unpatched to this day. Let's take a closer look."
  https://blog.0patch.com/2025/12/free-micropatches-for-windows-remote.html
  https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day-flaw-gets-free-unofficial-patches/
  https://www.theregister.com/2025/12/12/microsoft_windows_rasman_dos_0day/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog
  https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html
  https://securityaffairs.com/185639/security/u-s-cisa-adds-google-chromium-and-sierra-wireless-airlink-aleos-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Fake ‘One Battle After Another’ Torrent Hides Malware In Subtitles
  "A fake torrent for Leonardo DiCaprio’s 'One Battle After Another' hides malicious PowerShell malware loaders inside subtitle files that ultimately infect devices with the Agent Tesla RAT malware. The malicious torrent file was discovered by Bitdefender researchers while investigating a spike in detections related to the movie. One Battle After Another is a highly rated Paul Thomas Anderson movie released on September 26, 2025, starring Leonardo DiCaprio, Sean Penn, and Benicio del Toro."
  https://www.bleepingcomputer.com/news/security/fake-one-battle-after-another-torrent-hides-malware-in-subtitles/
• PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals
  "Over the last several months, dormant GitHub accounts, some inactive for years, suddenly reactivated and began publishing polished, AI-generated projects that included OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities. Several of these repositories climbed into GitHub’s top trending lists, placing them directly in front of IT administrators, cybersecurity analysts, and OSINT professionals. Only after some of these repositories gained traction did attackers introduce subtle “maintenance” commits that deployed a previously undocumented JavaScript/HTA backdoor Morphisec researchers have coined “PyStoreRAT’."
  https://www.morphisec.com/blog/pystorerat-a-new-ai-driven-supply-chain-malware-campaign-targeting-it-osint-professionals/
  https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
  https://hackread.com/pystorerat-rat-malware-github-osint-researchers/
• Oyster Backdoor Resurfaces: Analyzing The Latest SEO Poisoning Attacks
  "CyberProof Threat Hunters and Intel Analysts continue to see a new wave of SEO poisoning, that they noticed starting in mid-November 2025, delivering Oyster backdoor tricking users to download malicious office meeting software files like Microsoft teams and Google meet. The samples reviewed were recently compiled and using new infrastructure and difference certificates which were not reported before, however revoked now. We quickly stumbled upon a blog post by Rapid7 researchers in June that shared insights on Oyster backdoor using similar file names but different certificates."
  https://www.cyberproof.com/blog/oyster-backdoor-resurfaces-analyzing-the-latest-seo-poisoning-attacks/
  https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/
• Following The Digital Trail: What Happens To Data Stolen In a Phishing Attack
  "A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a commodity and enters the shadow market conveyor belt. In this article, we trace the path of the stolen data, starting from its collection through various tools – such as Telegram bots and advanced administration panels – to the sale of that data and its subsequent reuse in new attacks. We examine how a once leaked username and password become part of a massive digital dossier and why cybercriminals can leverage even old leaks for targeted attacks, sometimes years after the initial data breach."
  https://securelist.com/what-happens-to-stolen-data-after-phishing-attacks/118180/
• Technical Analysis Of The BlackForce Phishing Kit
  "Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300."
  https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit
  https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html
• Investigating An Adversary-In-The-Middle Phishing Campaign Targeting Microsoft 365 And Okta Users
  "Datadog has identified an active phishing campaign that targets organizations that use Microsoft 365 and Okta for their single sign-on (SSO) and is able to hijack the legitimate SSO flow. In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your Okta and Microsoft 365 logs."
  https://securitylabs.datadoghq.com/articles/investigating-an-aitm-phishing-campaign-m365-okta/
• Chinese APT Targets Uzbekistan
  "In November, TG Soft's Anti-Malware Research Center (C.R.A.M) identified a cyber-espionage campaign targeting government agencies in Uzbekistan. Since the initial campaign identified on November 12, two other campaigns have been found that can be associated with the same threat actor."
  https://www.tgsoft.it/news/news_archivio.asp?id=1693
• Beware: PayPal Subscriptions Abused To Send Fake Purchase Emails
  "An email scam is abusing abusing PayPal’s "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field. Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active." The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone."
  https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/

Breaches/Hacks/Leaks

• Fieldtex Data Breach Impacts 238,000
  "Fieldtex Products, a US company that provides contract sewing and medical supply fulfillment services, has disclosed a data breach after it was targeted by a notorious ransomware group. In a data security incident notice posted on its website on November 20, Fieldtex said it detected unauthorized access to its systems in mid-August. An investigation showed that hackers may have gained access to “a limited amount of protected health information”."
  https://www.securityweek.com/fieldtex-data-breach-impacts-238000/
  https://www.bankinfosecurity.com/fieldtex-trizetto-reveal-new-healthcare-breaches-a-30280
• 4B+ Records, Including Numerous LinkedIn Profiles, Exposed In One Of The Largest Lead-Generation Datasets Ever Found Open
  "While massive contact databases can be a significant time-saver for businesses, they also have a major drawback – security. If left unprotected, a single exposed dataset can endanger the privacy of millions of users. That’s exactly what the Cybernews research team discovered in a recent major data leak. The team found an unprotected MongoDB instance containing a staggering 16.14 terabytes of professional and corporate intelligence data. In total, researchers discovered nearly 4.3 billion documents, making it one of the largest lead-generation datasets to have ever leaked."
  Priority: 3 - Important
  Relevance: General
  https://cybernews.com/security/database-exposes-billions-records-linkedin-data/
  https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.html

General News

• The CISO-COO Partnership: Protecting Operational Excellence
  "At first glance, the chief information security officer and chief operating officer appear to operate in fundamentally different worlds — perhaps even at odds with one another. While the CISO is preoccupied with threat vectors, vulnerabilities and intrusions; the COO obsesses over margins, uptime, and efficiency. However, the digitally transformed enterprise demands CISOs and COOs build strong, intentional partnerships."
  https://www.darkreading.com/cybersecurity-operations/the-ciso-coo-partnership-protecting-operational-excellence
• Vibe Coding: Innovation Demands Vigilance
  "The hype surrounding AI in software development is undeniable. We are witnessing a paradigm shift, where "vibe coding" — expressing intent in natural language and leveraging AI large language models (LLMs) or agents to generate and refine code — is rapidly gaining traction. This approach promises unprecedented speed, lower barriers to entry, and accelerated prototyping. Yet, as a cybersecurity professional, I see a critical caveat: vibe coding's velocity often comes at the expense of the controls that safeguard our digital infrastructure."
  https://www.darkreading.com/application-security/vibe-coding-innovation-demands-vigilance
• Supply Chain Attacks Targeting GitHub Actions Increased In 2025
  "Some of the most significant software supply chain incidents over the past year were carried out by threat actors who exploited vulnerabilities in GitHub, the global repository widely used by software developers to host and collaboratively maintain code. Major supply chain attacks, such as Ultralytics, Singularity, Shibaud/Shai-Hulud, and GitHub Action tj-actions/changed-files, are among those in which threat actors compromised GitHub Actions, the continuous integration and continuous delivery capability in GitHub that lets developers automate software development workflows."
  https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025
• Your Updated Guide To AI In Cybersecurity: Adoption, Trends, Challenges, And The Future
  "The influence of AI in various areas of commerce is much larger than what was initially anticipated. AI isn’t just seen as a force multiplier; it’s the new age of business where organizations are betting on its potential even to wipe out certain workforces. Would it be the reality of work? Only time will tell. Soon. However, it is certain that AI is proving to be a worthy companion, making teams more efficient, automating redundant tasks, managing data, systems, and processes, and even narrowing the skill gap between, say, a new security analyst and an experienced one, thereby reducing overheads and operational hiccups."
  https://www.group-ib.com/blog/ai-cybersecurity-guide-2025/
• What 35 Years Of Privacy Law Say About The State Of Data Protection
  "Privacy laws have expanded around the world, and security leaders now work within a crowded field of requirements. New research shows that these laws provide stronger rights and duties, but the protections do not always translate into reductions in harm. The study looks at thirty five years of privacy history, from the rise of early data protection efforts to the current landscape of AI driven risk, cross border transfers, and uneven enforcement."
  https://www.helpnetsecurity.com/2025/12/12/global-privacy-enforcement-trends-research/
  https://www.mdpi.com/2624-800X/5/4/103
• LLM Privacy Policies Keep Getting Longer, Denser, And Nearly Impossible To Decode
  "People expect privacy policies to explain what happens to their data. What users get instead is a growing wall of text that feels harder to read each year. In a new study, researchers reviewed privacy policies for LLMs and traced how they changed. Researchers looked at privacy policies from 11 providers and tracked 74 versions over several years. The average policy reached about 3,346 words, which is about 53 percent longer than the average for general software policies published in 2019."
  https://www.helpnetsecurity.com/2025/12/12/llms-privacy-policies-study/
  https://arxiv.org/pdf/2511.21758
• Ransomware Keeps Widening Its Reach
  "Ransomware keeps shifting into new territory, pulling in victims from sectors and regions that once saw fewer attacks. The latest Global Threat Briefing for H2 2025 from CyberCube shows incidents spreading in ways that make it harder for security leaders to predict where threats will rise next. Researchers evaluated incident patterns, sector level exposure and signals drawn from threat actor behavior. Their aim was to map where ransomware is spreading, which organizations sit in higher risk clusters and how security posture shapes exposure."
  https://www.helpnetsecurity.com/2025/12/12/global-ransomware-trends-2025/
• Turn Me On, Turn Me Off: Zigbee Assessment In Industrial Environments
  "We all encounter IoT and home automation in some form or another, from smart speakers to automated sensors that control water pumps. These services appear simple and straightforward to us, but many devices and protocols work together under the hood to deliver them. One of those protocols is Zigbee. Zigbee is a low-power wireless protocol (based on IEEE 802.15.4) used by many smart devices to talk to each other. It’s common in homes, but is also used in industrial environments where hundreds or thousands of sensors may coordinate to support a process."
  https://securelist.com/zigbee-protocol-security-assessment/118373/
• Nevada Ransomware Attack Offers Lessons In Statewide Cyber Resilience
  "In August 2025, Nevada state government systems suddenly went offline. What initially appeared to be a routine outage turned out to be a full-scale ransomware attack affecting more than 60 state agencies—including Department of Motor Vechiles (DMV) systems, social services, law enforcement, state payroll, and more. Some systems remained offline for 28 days."
  https://blog.barracuda.com/2025/12/11/nevada-ransomware-attack-offers-lessons-in-statewide-cyber-resil
• Locks, SOCs And a Cat In a Box: What Schrödinger Can Teach Us About Cybersecurity
  "I recently had, what I thought, was a unique brainwave. (Spoiler alert: it wasn’t, but please read on!) As a marketing leader at ESET UK, part of my role is to communicate how our powerful and comprehensive solutions can be implemented to protect organisations, in a way that helps clarify the case for upgrading to higher levels of cybersecurity. And that need for clarity is now more urgent than ever."
  https://www.welivesecurity.com/en/business-security/locks-socs-cat-box-what-schrodinger-can-teach-us-about-cybersecurity/
• France And Germany Grappling With Nation-State Hacks
  "The French Ministry of Interior is investigating a suspected nation-state cyberattack that targeted its email server. Additionally, the German government on Friday attributed a 2024 hacking incident on air traffic control systems to Russian nation-state hackers. French Interior Minister Laurent Nuñez told French outlet RTL it's uncertain whether hackers stole files. Details of the hack are sparse, but the minister said the attack could be "foreign interference.""
  https://www.bankinfosecurity.com/france-germany-grappling-nation-state-hacks-a-30282

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Fortinet ออกประกาศเตือนช่องโหว่ความรุนแรงระดับ Critical ในกระบวนการยืนยันตัวตนผ่าน FortiCloud SSO (SAML-based Authentication)
ช่องโหว่นี้ทำให้ผู้โจมตีที่ ไม่ได้รับการยืนยันตัวตน สามารถ ข้ามขั้นตอนการ Login ของผู้ดูแลระบบ (Admin Authentication Bypass) และเข้าควบคุมอุปกรณ์ได้
อุปกรณ์ที่เปิดใช้ FortiCloud SSO และมี Management Interface เข้าถึงได้จาก Internet มีความเสี่ยงสูงมาก

สรุปภาพรวม (Overview)Fortinet ได้เผยแพร่การอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่วิกฤต 2 รายการ ได้แก่
CVE-2025-59718, CVE-2025-59719 | CVSS 9.8 (Critical)
ช่องโหว่ดังกล่าวส่งผลต่อกระบวนการยืนยันตัวตนแบบ FortiCloud SSO (SAML-based authentication) เนื่องจากมีการตรวจสอบลายเซ็นดิจิทัลของ SAML Response
ไม่ถูกต้อง (Improper Cryptographic Signature Verification)
ผลที่เกิดขึ้นคือ ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถ Bypass การ Login ของผู้ดูแลระบบ (Admin Authentication Bypass) ได้

รายละเอียดช่องโหว่ (Vulnerability Details)
CVE-2025-59718
•ผลิตภัณฑ์ที่ได้รับผลกระทบ:

• FortiOS
• FortiProxy
• FortiSwitchManager
  •ประเภทช่องโหว่: Improper Verification of Cryptographic Signature
  •รายละเอียดทางเทคนิค: ระบบตรวจสอบ SAML Response จาก FortiCloud SSO ไม่ถูกต้อง ทำให้สามารถใช้ SAML Message ที่ถูกปลอมแปลงเพื่อผ่านการยืนยันตัวตนได้
  •ผลกระทบ: Bypass Admin Authentication โดยไม่ต้องใช้ Credentials

CVE-2025-59719
•ผลิตภัณฑ์ที่ได้รับผลกระทบ:FortiWeb
•ประเภทช่องโหว่: Improper Verification of Cryptographic Signature
•รายละเอียดทางเทคนิค: การตรวจสอบลายเซ็น SAML ไม่รัดกุม ทำให้ผู้โจมตีสามารถปลอมแปลง SAML Response เพื่อเข้าสู่ระบบผู้ดูแลได้
•ผลกระทบ: Unauthenticated Admin Access

ผลกระทบทางเทคนิค (Technical Impact)
หากถูกโจมตีสำเร็จ อาจส่งผลกระทบดังต่อไปนี้:
•ข้ามขั้นตอนการยืนยันตัวตนผู้ดูแลระบบ (Admin Authentication Bypass)
•เข้าควบคุมอุปกรณ์ Fortinet โดยไม่ได้รับอนุญาต
•เปลี่ยนแปลงหรือทำลาย Configuration
•สร้างบัญชี Admin เพิ่มโดยไม่ทราบที่มา
•เป็นจุดเริ่มต้นของการโจมตีภายในเครือข่าย (Lateral Movement)
️ ความเสี่ยงสูงมากหาก Management Interface เปิดให้เข้าถึงจาก Internet

เวอร์ชันที่ได้รับผลกระทบ (Affected Versions)
FortiOS
•7.0.0 – 7.0.17
•7.2.0 – 7.2.11
•7.4.0 – 7.4.8
•7.6.0 – 7.6.3
FortiProxy
•7.0.0 – 7.0.21
•7.2.0 – 7.2.14
•7.4.0 – 7.4.10
•7.6.0 – 7.6.3
FortiSwitchManager
•7.0.0 – 7.0.5
•7.2.0 – 7.2.6
FortiWeb
•7.4.0 – 7.4.9
•7.6.0 – 7.6.4
•8.0.0

แนวทางแก้ไข (Mitigation – Recommended)️
1️⃣ แนวทางที่แนะนำ (Priority)
•อัปเกรด Firmware ของอุปกรณ์ที่ได้รับผลกระทบเป็นเวอร์ชันล่าสุดทันที
•ตรวจสอบว่าอุปกรณ์ใดมีการเปิดใช้ FortiCloud SSO

2️⃣ แนวทางแก้ไขชั่วคราว (Workaround)
หากไม่สามารถอัปเกรดได้ทันที ให้ดำเนินการดังนี้:
ปิด FortiCloud SSO สำหรับ Admin Login
ผ่าน GUI
•ไปที่ System → Settings
•ปิด Allow administrative login using FortiCloud SSO
ผ่าน CLI
config system global
set admin-forticloud-sso-login disable
end
หมายเหตุ: เป็นเพียงการลดความเสี่ยงชั่วคราว ไม่ใช่การแก้ไขถาวร

คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)️
•จำกัดการเข้าถึง Management Interface ด้วย IP Allowlist
•ตรวจสอบ Log:

• Admin Login
• FortiCloud / SAML Authentication
  •ตรวจสอบการสร้าง Admin Account ใหม่ที่ผิดปกติ
  •เปิดใช้งาน MFA สำหรับบัญชีผู้ดูแลระบบ
  •ตรวจสอบ Configuration Backup ว่ามีการเปลี่ยนแปลงผิดปกติหรือไม่

แหล่งอ้างอิง (References)
1.Fortinet PSIRT Advisory – FG-IR-25-647
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
2.Australian Cyber Security Centre (ACSC)
Critical Vulnerabilities in Multiple Fortinet Products – FortiCloud SSO Login Authentication Bypass
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-multiple-fortinet-products-forticloud-sso-login-authentication-bypass
3.NVD – CVE-2025-59718
https://nvd.nist.gov/vuln/detail/CVE-2025-59718
4.NVD – CVE-2025-59719
https://nvd.nist.gov/vuln/detail/CVE-2025-59719
5.Arctic Wolf – Technical Analysis
https://arcticwolf.com/resources/blog/cve-2025-59718-and-cve-2025-59719/

#CyberSecurity #Fortinet #CyberSecurity #Vulnerability #ThaiCERT #ข่าวไซเบอร์ #เตือนภัยไซเบอร์

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 12 รายการ เมื่อวันที่ 2 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-345-01 Johnson Controls iSTAR
• ICSA-25-345-02 Johnson Controls iSTAR Ultra
• ICSA-25-345-03 AzeoTech DAQFactory
• ICSA-25-345-04 Siemens IAM Client
• ICSA-25-345-05 Siemens Advanced Licensing (SALT) Toolkit
• ICSA-25-345-06 Siemens SINEMA Remote Connect Server
• ICSA-25-345-07 Siemens Building X - Security Manager Edge Controller
• ICSA-25-345-08 Siemens Energy Services
• ICSA-25-345-09 Siemens Gridscale X Prepay
• ICSA-25-345-10 OpenPLC_V3
• ICSMA-25-345-01 Grassroots DICOM (GDCM)
• ICSMA-25-345-02 Varex Imaging Panoramic Dental Imaging Software

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ThaiCERT ตรวจพบรายงานช่องโหว่ความรุนแรงระดับวิกฤต หมายเลข CVE-2025-10573 ในผลิตภัณฑ์ Ivanti Endpoint Manager (EPM) ซึ่งเป็นช่องโหว่ประเภท Stored Cross-Site Scripting (Stored XSS) โดยมีคะแนนความรุนแรงตามมาตรฐาน CVSS v3.1 เท่ากับ 9.6
ช่องโหว่นี้เปิดโอกาสให้ผู้ไม่หวังดีสามารถโจมตีระบบได้ โดยไม่จำเป็นต้องผ่านการยืนยันตัวตน ผู้โจมตีสามารถฝังโค้ดอันตรายไว้ในข้อมูลภายในระบบ EPM และเมื่อผู้ดูแลระบบเข้าถึงหน้า Dashboard หรือหน้าจัดการที่เกี่ยวข้อง โค้ดดังกล่าวจะถูกเรียกใช้งานโดยอัตโนมัติภายใต้สิทธิ์ระดับผู้ดูแลระบบ ส่งผลให้มีความเสี่ยงสูงต่อการถูกยึดควบคุมระบบบริหารจัดการเครื่องลูกข่ายทั้งหมด และอาจถูกใช้เป็นฐานในการขยายการโจมตีไปยังระบบอื่นภายในองค์กร
ช่องโหว่นี้ส่งผลกระทบต่อ Ivanti Endpoint Manager (EPM) เวอร์ชันก่อน 2024 SU4 SR1 ซึ่งจำเป็นต้องเร่งดำเนินการแก้ไขโดยทันที
รายละเอียดช่องโหว่
ประเภทช่องโหว่: Stored Cross-Site Scripting (Stored XSS)
ระดับความรุนแรง: Critical (CVSS v3.1 = 9.6)
เงื่อนไขการโจมตี: ไม่ต้องยืนยันตัวตน (Unauthenticated)
ผู้โจมตีสามารถส่งข้อมูลที่มี Payload อันตรายเข้าสู่ระบบ EPM ได้โดยตรง เมื่อข้อมูลดังกล่าวถูกแสดงผลบนหน้า Dashboard หรือหน้าจัดการของผู้ดูแลระบบ โค้ด JavaScript ที่ฝังไว้จะทำงานทันทีภายใต้สิทธิ์ระดับผู้ดูแลระบบ
ลักษณะการโจมตีโดยสรุป

1. ผู้โจมตีส่งข้อมูลที่มี Payload อันตรายเข้าสู่ระบบ EPM
2. ข้อมูลถูกจัดเก็บไว้ในระบบ (Stored)
3. ผู้ดูแลระบบเปิดหน้า Dashboard หรือหน้าจัดการที่เกี่ยวข้อง
4. โค้ดอันตรายถูกเรียกใช้งานอัตโนมัติด้วยสิทธิ์ระดับผู้ดูแลระบบ
   ผลกระทบที่อาจเกิดขึ้น
   • การสวมรอยหรือยึดควบคุมเซสชันของผู้ดูแลระบบโดยไม่ได้รับอนุญาต
   • การสั่งให้ระบบดำเนินการต่าง ๆ ด้วยสิทธิ์ระดับผู้ดูแลระบบ
   • การเข้าควบคุมเครื่องลูกข่ายทั้งหมดที่อยู่ภายใต้การบริหารของ EPM
   • การใช้ระบบ EPM เป็นจุดเริ่มต้นในการขยายการโจมตีไปยังระบบอื่นภายในองค์กร
   ️ ผลิตภัณฑ์ที่ได้รับผลกระทบ
   • Ivanti Endpoint Manager (EPM)
   เวอร์ชันที่ได้รับผลกระทบ: ก่อน 2024 SU4 SR1
   การใช้งานเวอร์ชันที่ยังไม่ได้อัปเดตมีความเสี่ยงสูงต่อการถูกโจมตีจากช่องโหว่นี้
   ️ อาการผิดปกติที่ควรเฝ้าระวัง (Indicators of Compromise)
   หน่วยงานควรตรวจสอบหากพบพฤติกรรมดังต่อไปนี้
   • การเข้าสู่ระบบของผู้ดูแลในช่วงเวลาที่ผิดปกติ หรือจาก IP Address ที่ไม่ทราบแหล่งที่มา
   • การแสดงผลข้อมูลบน Dashboard ผิดปกติหรือมีสคริปต์แปลกปลอม
   • ระบบมีการสั่งงานเครื่องลูกข่ายโดยที่ผู้ดูแลไม่ได้อนุมัติ
   • ปริมาณการเรียกใช้งาน API เพิ่มสูงผิดปกติจากพฤติกรรมการใช้งานปกติ
   หากพบอาการข้างต้นร่วมกับการใช้งานเวอร์ชันที่ยังไม่ได้อัปเดต อาจมีความเป็นไปได้ว่าระบบถูกโจมตีแล้ว
   ️ แนวทางป้องกันและการดำเนินการเร่งด่วน
   แนวทางแก้ไขหลัก (แนะนำให้ดำเนินการทันที)
   • อัปเดต Ivanti Endpoint Manager เป็นเวอร์ชัน 2024 SU4 SR1 หรือใหม่กว่า
   • ตรวจสอบและลบข้อมูลที่ผิดปกติหรือไม่พึงประสงค์บนหน้า Dashboard
   • ตรวจสอบ Log การทำงานของบัญชีผู้ดูแลระบบทั้งหมดอย่างละเอียด
   • เปิดใช้งานและกำหนดค่ามาตรการป้องกันการโจมตีแบบ XSS ตามคำแนะนำของ Ivanti
   มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้)
   • จำกัดการเข้าถึง Web Console ให้เฉพาะเครือข่ายภายในองค์กรเท่านั้น
   • บังคับใช้การยืนยันตัวตนหลายปัจจัย (Multi-Factor Authentication: MFA) สำหรับบัญชีผู้ดูแลระบบทุกบัญชี
   • เฝ้าระวังและตรวจสอบ Log การเรียกใช้งาน API อย่างต่อเนื่อง
   • ปิดกั้นการเข้าถึงจากภายนอกองค์กร โดยอนุญาตเฉพาะการเชื่อมต่อผ่าน Firewall หรือ VPN
   แหล่งข้อมูลอ้างอิง
   • Ivanti Security Advisory
   https://forums.ivanti.com/.../Security-Advisory-EPM...
   • BleepingComputer – รายงานข่าวช่องโหว่
   https://www.bleepingcomputer.com/.../ivanti-warns-of.../
   • NVD – CVE-2025-10573
   https://nvd.nist.gov/vuln/detail/CVE-2025-10573

#CVE202510573 #Ivanti #CyberSecurity #ช่องโหว่วิกฤต #อัปเดตด่วน #ThaiCERT #ข่าวไซเบอร์ #เตือนภัยไซเบอร์

Financial Sector

• Fighting Credit Fraud In Uzbekistan: An Uphill Battle Against Social Engineering
  "Imagine you enter a bank with the intention of applying for a loan but your application gets rejected as the bank’s worker tells you that there has already been a loan taken out in your name and your credit limit has been maxed out. You have just found out that you’re a victim of credit fraud. Online lending is rapidly gaining popularity in Uzbekistan, and with it, the number of credit fraud cases is also on the rise. According to data from the Central Bank of Uzbekistan (CBU), there were 463 reported cases of remote online loans issued in someone’s name via apps or a fake identity, resulting in financial losses totaling approximately 15 billion UZS in 2024 alone."
  https://www.group-ib.com/blog/credit-fraud-in-uzbekistan/

Industrial Sector

• • CISA Releases 12 Industrial Control Systems Advisories
    "CISA released 12 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
    https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industrial-control-systems-advisories
• Threat Landscape For Industrial Automation Systems. Q3 2025
  "In Q3 2025, the percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching its lowest level since 2022 — 20.1%. Regionally, the percentage ranged from 9.2% in Northern Europe to 27.4% in Africa. Increases were seen in five regions. East Asia was the leader in terms of growth for this indicator."
  https://ics-cert.kaspersky.com/publications/reports/2025/12/11/threat-landscape-for-industrial-automation-systems-q3-2025/

Vulnerabilities

• Google Patches Mysterious Chrome Zero-Day Exploited In The Wild
  "Google has released a security update for its Chrome browser, addressing a zero-day vulnerability that the company confirms is actively being exploited in the wild. Several exploited zero-day vulnerabilities were patched by the internet giant in Chrome this year. However, the company has always shared a brief description of the flaw when announcing patches. At the time of writing, the latest Chrome zero-day does not have a CVE identifier and it’s unclear which component of the browser it affects. The company is currently tracking it using a bug tracker ID (466192044) and marked it as ‘under coordination’."
  https://www.securityweek.com/google-patches-mysterious-chrome-zero-day-exploited-in-the-wild/
  https://www.bleepingcomputer.com/news/security/google-fixes-eighth-chrome-zero-day-exploited-in-attacks-in-2025/
  https://thehackernews.com/2025/12/chrome-targeted-by-active-in-wild.html
  https://www.infosecurity-magazine.com/news/google-chrome-security-update/
  https://securityaffairs.com/185566/hacking/google-fixed-a-new-actively-exploited-chrome-zero-day.html
  https://www.theregister.com/2025/12/11/google_fixes_supersecret_8th_chrome/
  https://www.malwarebytes.com/blog/news/2025/12/another-chrome-zero-day-under-attack-update-now
• IBM Patches Over 100 Vulnerabilities
  "IBM this week announced fixes for more than 100 vulnerabilities across its products, including multiple critical-severity bugs. Most of them were in third-party dependencies. Storage Defender received patches for six critical-severity defects, all affecting third-party components in Data Protect (which is included in Storage Defender). The weaknesses could lead to denial-of-service (DoS) conditions, memory corruption, arbitrary file overwrite, and application crashes."
  https://www.securityweek.com/ibm-patches-over-100-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog
• Notepad++ Fixes Flaw That Let Attackers Push Malicious Update Files
  "Notepad++ version 8.8.9 was released to fix a security weakness in its WinGUp update tool after researchers and users reported incidents in which the updater retrieved malicious executables instead of legitimate update packages. The first signs of this issue appeared in a Notepad++ community forum topic, where a user reported that Notepad++'s update tool, GUP.exe (WinGUp), spawned an unknown "%Temp%\AutoUpdater.exe" executable that executed commands to collect device information."
  https://www.bleepingcomputer.com/news/security/notepad-plus-plus-fixes-flaw-that-let-attackers-push-malicious-update-files/
  https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
  https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9?gi=a472651038c5

Malware

• Active Exploitation Of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
  "The AES implementation of Gladinet’s CentreStack and Triofox products contains hardcoded cryptographic keys. Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution. We are seeing attackers target this flaw across our customer base; organizations that are using CentreStack/Triofox should update to the latest version, 16.12.10420.56791."
  https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability
  https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.html
  https://www.bleepingcomputer.com/news/security/hackers-exploit-gladinet-centrestack-cryptographic-flaw-in-rce-attacks/
• Malicious VSCode Marketplace Extensions Hid Trojan In Fake PNG File
  "A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. The malicious activity was uncovered recently, and security researchers found that the operator used a malicious file posing as a .PNG image. The VSCode Market is Microsoft’s official extensions portal for the widely used VSCode integrated development environment (IDE), allowing developers to extend its functionality or add visual customizations."
  https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/
  https://www.infosecurity-magazine.com/news/malware-discovered-in-19-vs-code/
  https://hackread.com/malicious-vs-code-extensions-trojan-fake-png-files/
• ConsentFix: Analysing a Browser-Native ClickFix-Style Attack That Hijacks OAuth Consent Grants
  "The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too. This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name."
  https://pushsecurity.com/blog/consentfix
  https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/
• Hunting For Mythic In Network Traffic
  "Threat actors frequently employ post-exploitation frameworks in cyberattacks to maintain control over compromised hosts and move laterally within the organization’s network. While they once favored closed-source frameworks, such as Cobalt Strike and Brute Ratel C4, open-source projects like Mythic, Sliver, and Havoc have surged in popularity in recent years. Malicious actors are also quick to adopt relatively new frameworks, such as Adaptix C2."
  https://securelist.com/detecting-mythic-in-network-traffic/118291/
• • NANOREMOTE, Cousin Of FINALDRAFT
    "In October 2025, Elastic Security Labs discovered a newly-observed Windows backdoor in telemetry. The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API. This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens."
    https://www.elastic.co/security-labs/nanoremote
    https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
• Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
  "In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as Ashen Lepus (aka WIRTE). We share details of a long-running, elusive espionage campaign targeting governmental and diplomatic entities throughout the Middle East. We discovered that the group has created new versions of their previously documented custom loader, delivering a new malware suite that we have named AshTag. The group has also updated their command and control (C2) architecture to evade analysis and blend in with legitimate internet traffic."
  https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/
  https://thehackernews.com/2025/12/wirte-leverages-ashenloader-sideloading.html
• CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
  "CyberVolk is a pro-Russia hacktivist persona we first documented in late 2024, tracking its use of multiple ransomware tools to conduct attacks aligned with Russian government interests. After seemingly lying dormant for most of 2025 due to Telegram enforcement actions, the group returned in August with a new RaaS offering called VolkLocker (aka CyberVolk 2.x). In this post, we examine the functionality of VolkLocker, including its Telegram-based automation, encryption mechanisms, and affiliate features."
  https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/
  https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
• SHADOW-VOID-042 Targets Multiple Industries With Void Rabisu-Like Tactics
  "In October and November 2025, campaigns targeting sectors such as energy, defence, pharmaceuticals, and cybersecurity shared characteristics with older campaigns attributed to Void Rabisu (also known as ROMCOM, Tropical Scorpius, Storm-0978). Void Rabisu is known to be associated with an actor group that has both financial and espionage motivations that are aligned with Russian interests. We are tracking these campaigns under a separate, temporary intrusion set, SHADOW-VOID-042, pending further data to support high-confidence attribution."
  https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html
• Makop Ransomware: GuLoader And Privilege Escalation In Attacks Against Indian Businesses
  "Makop is a ransomware strain first observed around 2020 and is generally treated as a variant of the Phobos family. Recently, Acronis TRU researchers identified new activity and tooling associated with Makop, prompting a deeper investigation into several recent ransomware cases to better understand how its operators conduct their attacks."
  https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/

Breaches/Hacks/Leaks

• • Pierce County Library Data Breach Impacts 340,000
    "Pierce County Library System (PCLS) is notifying over 340,000 people that their personal information was compromised in a data breach. Between April 15 and April 21, 2025, threat actors accessed PCLS’s network and stole certain data from its systems, the public library says. “Upon discovering the issue, PCLS immediately commenced an investigation to confirm the nature and scope, and to identify what information could have been affected,” PCLS says in an incident notice on its website."
    https://www.securityweek.com/pierce-county-library-data-breach-impacts-340000/
• Hackers Reportedly Breach Developer Involved With Russia’s Military Draft Database
  "An anonymous hacker group has reportedly breached the servers of a little-known Russian tech firm alleged to be involved in building the country’s unified military registration database. According to Grigory Sverdlov, head of the Russian anti-war human rights group Idite Lesom (“Get Lost”), the hackers contacted him and handed over a trove of internal Mikord documents, including source code, technical and financial records, and internal correspondence."
  https://therecord.media/hackers-reportedly-breach-developer-involved-in-russian-military-database

General News

• LLM Vulnerability Patching Skills Remain Limited
  "Security teams are wondering whether LLMs can help speed up patching. A new study tests that idea and shows where the tools hold up and where they fall short. The researchers tested LLMs from OpenAI, Meta, DeepSeek, and Mistral to see how well they could fix vulnerable Java functions in a single attempt."
  https://www.helpnetsecurity.com/2025/12/11/llms-software-vulnerability-patching-study/
  https://arxiv.org/pdf/2511.23408
• Teamwork Is Failing In Slow Motion And Security Feels It
  "Security leaders often track threats in code, networks, and policies. But a quieter risk is taking shape in the everyday work of teams. Collaboration is getting harder even as AI use spreads across the enterprise. That tension creates openings for mistakes, shadow tools, and uncontrolled data flows. A recent Forrester study shows how this break in teamwork forms and how leaders can respond before it grows."
  https://www.helpnetsecurity.com/2025/12/11/forrester-teamwork-security-gaps-report/
• 2025 CWE Top 25 Most Dangerous Software Weaknesses
  "The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services."
  https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses
• • OpenAI Braces For AI Models That Could Breach Defenses
    "OpenAI said Wednesday it is preparing for artificial intelligence models to reach "high" cybersecurity risk levels, marking an escalation in the dual-use capabilities that could strengthen defenses or enable sophisticated attacks. The ChatGPT maker said it is planning and evaluating as though each new model could achieve capabilities sufficient to develop working zero-day remote exploits against well-defended systems or meaningfully assist with complex, stealthy enterprise or industrial intrusion operations aimed at real-world effects."
    https://www.bankinfosecurity.com/openai-braces-for-ai-models-that-could-breach-defenses-a-30264
    https://www.infosecurity-magazine.com/news/openai-enhances-defensive-models/
• Malicious Apprentice | How Two Hackers Went From Cisco Academy To Cisco CVEs
  "First publicly reported in September 2024, Salt Typhoon’s campaign is now known to have penetrated more than 80 telecommunications companies globally. The group’s campaign collected unencrypted calls and texts between US presidential candidates, key staffers, and many China-experts in Washington, DC. However, Salt Typhoon’s collection activity went beyond those intercepts. Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon. A recent Joint Cybersecurity Advisory published by the U.S. and more than 30 allies sheds light on how Salt Typhoon came to penetrate global telecommunications infrastructure."
  https://www.sentinelone.com/labs/malicious-apprentice-how-two-hackers-went-from-cisco-academy-to-cisco-cves/
  https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ตรวจพบช่องโหว่ที่มีความรุนแรงสูงสุดใน Apache Tika เป็นช่องโหว่แบบ XML External Entity (XXE) เปิดโอกาสให้ผู้โจมตีใช้ไฟล์ PDF ที่สร้างขึ้นเป็นพิเศษเพื่อเจาะระบบ โดยระบบจะประมวลผลไฟล์ดังกล่าวอัตโนมัติเมื่อมีการอัปโหลดหรือส่งเข้าไปในกระบวนการประมวลผลเอกสาร (ingest) นำไปสู่การเข้าถึงข้อมูลหรือทรัพยากรภายในที่ควรถูกป้องกันได้

กลุ่มเป้าหมายที่อาจได้รับผลกระทบจากช่องโหว่
• ใช้ Apache Tika โดยตรงในแอปพลิเคชัน (เช่น Java application, microservice ที่เรียก Tika เพื่ออ่านและแปลงข้อความจากเอกสาร)
• Apache Tika ที่ให้ผู้ใช้ อัปโหลดไฟล์ PDF จากภายนอก แล้วนำไฟล์เหล่านั้นไปประมวลผลต่อ เช่น ระบบยื่นคำร้องออนไลน์, ระบบส่งเอกสาร, ระบบรับไฟล์แนบต่าง ๆ
• ใช้ระบบค้นหาเอกสารที่ผสาน Apache Tika กับ Solr/Elasticsearch เพื่อค้นหาเนื้อหาภายในไฟล์ได้
• ใช้ระบบจัดการเอกสารหรือแพลตฟอร์มวิเคราะห์เอกสาร เช่น ECM, DMS, e-Discovery, DLP หรือระบบวิเคราะห์ข้อมูลที่อาศัย Tika ในการอ่านและแปลงเนื้อหาจากไฟล์
• ใช้ซอฟต์แวร์หรือแพลตฟอร์มที่ มี Apache Tika เป็นส่วนประกอบภายในระบบ

แพ็กเกจ/เวอร์ชันที่ต้องรีบตรวจสอบ
หากพบการใช้แพ็กเกจและเวอร์ชันต่อไปนี้ ให้ถือว่า “เข้าข่ายเสี่ยงทันที”

1. Apache Tika core
   แพ็กเกจ: org.apache.tika:tika-core
   เวอร์ชันที่มีช่องโหว่: 1.13 – 3.2.1
   ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
2. Apache Tika parsers
   แพ็กเกจ: org.apache.tika:tika-parsers
   เวอร์ชันที่มีช่องโหว่: 1.13 ก่อน 2.0.0
   ควรอัปเดตเป็น: 2.0.0 ขึ้นไป (โดยรวมควรให้ core อยู่ในช่วง 3.2.2 ขึ้นไป)
3. Apache Tika PDF parser module
   แพ็กเกจ: org.apache.tika:tika-parser-pdf-module
   เวอร์ชันที่มีช่องโหว่: 2.0.0 – 3.2.1
   ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
   ช่องโหว่นี้เป็นการขยายขอบเขตจาก CVE-2025-54988 และยืนยันว่าปัญหาหลักอยู่ที่ tika-core หากอัปเดตเฉพาะส่วนประกอบสำหรับประมวลผลไฟล์ PDF แต่ไม่อัปเดต tika-core เป็นเวอร์ชัน 3.2.2 ขึ้นไป ระบบยังคงมีความเสี่ยงอยู่

ข้อควรทำก่อนอัปเดต
• สำรองข้อมูลและ configuration ที่เกี่ยวข้องกับระบบก่อนทำการอัปเดต (source code, image, config)
• ทดสอบในสภาพแวดล้อมทดสอบ (staging) ก่อนนำขึ้นระบบจริง โดยเฉพาะระบบที่มีความสำคัญสูง
• ประสานงานระหว่างทีมพัฒนา ทีมโครงสร้างพื้นฐาน และทีมความมั่นคงปลอดภัย ให้เรียบร้อยก่อนวางแผนการหยุดให้บริการ (downtime) หรือ ดำเนินการปรับปรุงระบบ (deploy)

️ หากยังไม่สามารถอัปเดต
ในกรณีที่ระบบมีข้อจำกัด (เช่น ระบบเก่า, ขึ้นกับ third-party ที่ยังไม่ออกแพตช์) ให้ดำเนินการลดความเสี่ยงชั่วคราวดังนี้

1. ลดความเสี่ยงจากไฟล์ PDF
   • ปิดหรือจำกัดฟังก์ชันที่รับไฟล์ PDF ที่มาจากแหล่งภายนอก หากไม่จำเป็นต้องเปิดให้ใช้งานในช่วงที่ยังไม่สามารถอัปเดตแพตช์ได้
   • ใช้เครื่องมือ pre-process PDF เช่น qpdf, pdfid.py เพื่อตรวจจับ/บล็อกไฟล์ที่มี XFA หรือฟิลด์ /AcroForm ก่อนส่งเข้า Apache Tika
   • แยก Apache Tika ที่ใช้ประมวลผลไฟล์จากภายนอก ออกมาอยู่ในโซนที่มีการทำ sandbox และจำกัดสิทธิ์เข้มงวด
2. ควบคุมการเชื่อมต่อออกของเซิร์ฟเวอร์ที่ใช้ Apache Tika
   • กำหนดค่า Firewall/Proxy อนุญาตเฉพาะปลายทางที่จำเป็นต่อการทำงานของระบบเท่านั้น
   • บล็อกการเข้าถึง metadata service, IP ภายในที่สำคัญ หรือระบบจัดการที่ไม่ควรถูกเรียกจาก Apache Tika
3. เสริมการป้องกันในระดับโฮสต์และระบบตรวจจับ (Host / EDR)
   • กำหนดให้ Apache Tika ทำงานภายใต้บัญชีผู้ใช้ที่มีสิทธิ์จำกัด ตามหลักการ least privilege
   • ใช้ container/sandbox/AppArmor/SELinux จำกัดสิทธิ์และขอบเขตการเข้าถึง
   • ตั้ง rule ใน EDR/SIEM ให้แจ้งเตือนกรณี:
   • การที่โปรเซสของ Tika พยายามอ่านไฟล์ระบบหรือไฟล์ credential ที่ไม่ควรถูกเข้าถึง
   • การตรวจพบทราฟฟิกเชื่อมต่อออกจากเซิร์ฟเวอร์ที่รัน Apache Tika ไปยังปลายทางที่ไม่เคยอยู่ในรูปแบบการใช้งานปกติ

️ ระดับความเร่งด่วน
ช่องโหว่นี้มีศักยภาพในการนำไปสู่การรั่วไหลข้อมูลและการเข้าถึงระบบภายใน หากยังไม่ได้ดำเนินการอัปเดตหรือบรรเทาความเสี่ยง ให้ถือว่าระบบดังกล่าวอยู่ในสถานะความเสี่ยงสูง และควรเร่งดำเนินการลดความเสี่ยงโดยทันที

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT
ที่มา
[1]:NVD – CVE-2025-66516
https://nvd.nist.gov/vuln/detail/CVE-2025-66516
[2] NVD – CVE-2025-54988
https://nvd.nist.gov/vuln/detail/CVE-2025-54988
[3] Apache Tika Advisory (Mailing List)
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
[4] The Hacker News – Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika
https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
[5] Upwind – Apache Tika XXE Vulnerability (CVE-2025-66516)
https://www.upwind.io/feed/apache-tika-rce-cve-2025-66516

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Rockwell, Schneider
    "Industrial giants Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products. Siemens has published 14 new advisories. An overall severity rating of ‘critical’ has been assigned to three advisories covering dozens of third-party component vulnerabilities affecting Comos, Sicam T, and Ruggedcom ROX products."
    https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-rockwell-schneider/

New Tooling

• UTMStack: Open-Source Unified Threat Management Platform
  "UTMStack is an open-source unified threat management platform that brings SIEM and XDR features into one system. The project focuses on real time correlation of log data, threat intelligence, and malware activity patterns gathered from different sources. The goal is to help organizations identify and halt complex threats that rely on stealthy techniques."
  https://www.helpnetsecurity.com/2025/12/10/utmstack-open-source-unified-threat-management-platform/
  https://github.com/utmstack/UTMStack

Vulnerabilities

• Vulnerabilities Identified In PCIe Integrity And Data Encryption (IDE) Protocol Specification
  "PCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. Several issues were identified in the IDE specification that could allow an attacker with local access to influence data consumed on the link. The PCIe 6.0 IDE Erratum provides corrective guidance, and firmware and hardware updates are expected to address these concerns."
  https://kb.cert.org/vuls/id/404544
  https://thehackernews.com/2025/12/three-pcie-encryption-weaknesses-expose.html
  https://www.securityweek.com/intel-amd-processors-affected-by-pcie-vulnerabilities/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
  CVE-2025-62221 Microsoft Windows Use After Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
  https://securityaffairs.com/185523/security/u-s-cisa-adds-microsoft-windows-and-winrar-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
  "Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This year at Black Hat Europe, Piotr Bazydlo presented “SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL”. This research ultimately led to the identification of new primitives in the .NET Framework that, while Microsoft decided deserved DONOTFIX (repeatedly), were successfully weaponized against enterprise-grade appliances to achieve Remote Code Execution."
  https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
  https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html
  https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/

Malware

• Opportunistic Pro-Russia Hacktivists Attack US And Global Critical Infrastructure
  "CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure."
  https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure
  https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
  https://www.darkreading.com/threat-intelligence/hactivists-target-critical-infrastructure
  https://therecord.media/doj-cisa-warn-russia-hackers-targeting-critical-infrastructure
  https://www.infosecurity-magazine.com/news/russia-hackers-target-us-critical/
• Infostealer Has Entered The Chat
  "Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?"
  https://www.kaspersky.co.uk/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/29796/
  https://www.bleepingcomputer.com/news/security/google-ads-for-shared-chatgpt-grok-guides-push-macos-infostealer-malware/
• • Phishers Get Creative: The NoteGPT Twist You Didn’t See Coming
    "NoteGPT is an AI-generated tool that converts lengthy lectures, meetings, or videos into concise, easy-to-read notes in just seconds. While seemingly useful, threat actors are now exploiting it to host fake files and lure victims. They upload malicious content to NoteGPT, then share what appears to be a harmless “document” or “note”. Because NoteGPT is a legitimate platform, many users let their guard down. Once victims click through, they’re redirected to credential phishing pages disguised as familiar login portals like Microsoft or Google. At this point, users are asked to sign in to access the file, unknowingly handing their credentials straight to threat actors."
    https://cofense.com/blog/phishers-get-creative-the-notegpt-twist-you-didn-t-see-coming
• AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT And Grok
  "On December 5, 2025, Huntress triaged an Atomic macOS Stealer (AMOS) alert that initially appeared routine: data exfiltration, standard AMOS persistence, and no unusual infection chain indicators in the telemetry. We expected to find the standard delivery vectors: a phishing link, a trojanized installer, maybe a ClickFix lure. None of those were present: no phishing email, no malicious installer, and no familiar ClickFix-style lure."
  https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust
  https://www.darkreading.com/vulnerabilities-threats/clickfix-style-attack-grok-chatgpt-malware
• • Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
    "After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain. The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible."
    https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell
    https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/
• PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
  "Huntress is seeing threat actors exploit a vulnerability in React Server Components (CVE-2025-55182) across several organizations in our customer base. Attackers have attempted to deploy cryptominer malware, a Linux backdoor we're tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign. We recommend immediate patching due to the feasibility of exploitation."
  https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell
  https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
• • Gogs 0-Day Exploited In The Wild
    "On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero-day vulnerability. During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances. We responsibly disclosed this vulnerability to the maintainers. They are currently working on a fix, but active exploitation continues in the wild."
    https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
    https://www.theregister.com/2025/12/10/gogs_0day_under_active_exploitation/
• 01flip: Multi-Platform Ransomware Written In Rust
  "In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently tracking this activity as CL-CRI-1036, signifying a cluster of malicious activity that is likely related to cybercrime."
  https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
• • ClickFix Social Engineering Sparks Rise Of CastleLoader Attacks
    "A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. According to Blackpoint, the activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step. That single action initiates a multi-stage sequence that quietly downloads, decrypts and runs an attacker-controlled payload in memory."
    https://www.infosecurity-magazine.com/news/clickfix-rise-castleloader-attacks/
• Total Takeover: DroidLock Hijacks Your Device
  "The zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a malware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device. It employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel."
  https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device
  https://www.bleepingcomputer.com/news/security/new-droidlock-malware-locks-android-devices-and-demands-a-ransom/
• Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
  "Seqrite Labs has identified a targeted malware campaign, tracked as Operation FrostBeacon, which is delivering Cobalt Strike beacons to companies within the Russian Federation. The phishing emails indicat that the threat group is financially motivated which targets organization responsible for payments, contracts, reconciliation, legal risk. More than 20 initial infection files have been observed where the intrusion relies on a multi-layered infection chain with two different clusters; one infects through phishing archive files that contain malicious shortcut files. The second cluster leverages the legacy CVE-2017-0199 template injection vulnerability and even chains it with another old Equation Editor vulnerability CVE-2017-11882."
  https://www.seqrite.com/blog/operation-frostbeacon-multi-cluster-cobalt-strike-campaign-targets-russia/

Breaches/Hacks/Leaks

• Thousands Of Exposed Secrets Found On Docker Hub, Putting Organizations At Risk
  "For years, there’s been a saying in the security world: hackers don’t need to hack anymore – the keys are handed to them on a silver platter. But is that really true? That question is what sparked our research into exposed secrets on Docker Hub. We designed a methodology to analyze leaked credentials, validate which were real, and investigate their origin: who they belonged to, the environments they granted access to, and the potential blast radius to both the affected organizations and the wider ecosystem."
  https://flare.io/learn/resources/docker-hub-secrets-exposed/
  https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/
• Russia’s Flagship Airline Hacked Through Little-Known Tech Vendor, According To New Report
  "A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation. The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began."
  https://therecord.media/russia-flagship-airline-hacked-through-little-known-vendor

General News

• Stranger Threats Are Coming: Group-IB Cyber Predictions For 2026 And Beyond
  "The speed, nature, and intent of cybercrime have been evolving faster than we can keep up with. With the use of AI, we’ve all been anticipating it, but the extent has been underestimated. The cybersecurity landscape is becoming hyperactive – AI, evolving adversary ambitions, geopolitical shifts, and changing business dynamics, all combine to play a role in this acceleration."
  https://www.group-ib.com/blog/cyber-predictions-2026/

• Henkel CISO On The Messy Truth Of Monitoring Factories Built Across Decades
  "In this Help Net Security interview, Stefan Braun, CISO at Henkel, discusses how smart manufacturing environments introduce new cybersecurity risks. He explains where single points of failure hide, how attackers exploit legacy systems, and why monitoring must adapt to mixed-generation equipment. His insights show why resilience depends on visibility, autonomy, and disciplined vendor accountability."
  https://www.helpnetsecurity.com/2025/12/10/stefan-braun-henkel-smart-manufacturing-cybersecurity/

• The Hidden Dynamics Shaping Who Produces Influential Cybersecurity Research
  "Cybersecurity leaders spend much of their time watching how threats and tools change. A new study asks a different question, how has the research community itself changed over the past two decades. Researchers from the University of Southampton examined two long running conference communities, SOUPS and Financial Cryptography and Data Security, to see how teams form, who contributes, and which kinds of work gain attention. The result is a rare look at the structure behind the papers that influence security practice."
  https://www.helpnetsecurity.com/2025/12/10/interesting-cybersecurity-research-trends/

• LLMs Are Everywhere In Your Stack And Every Layer Brings New Risk
  "LLMs are moving deeper into enterprise products and workflows, and that shift is creating new pressure on security leaders. A new guide from DryRun Security outlines how these systems change long standing assumptions about data handling, application behavior, and internal boundaries. It is built around the OWASP Top 10 for LLM Applications, which the company uses as the structure for a full risk model and a reference architecture for teams building with LLMs."
  https://www.helpnetsecurity.com/2025/12/10/enterprise-llm-security-risks-analysis/

• UK Sanctions Russian And Chinese Firms Suspected Of Being ‘Malign Actors’ In Information Warfare
  "Britain announced sanctions against Russian media and ideas outlets on Tuesday as the U.K’s top diplomat warned Western nations must raise their game to combat information warfare from “malign foreign states. Foreign Secretary Yvette Cooper said the U.K. was imposing sanctions on the microblogging Telegram channel Rybar and its co-owner Mikhail Sergeevich Zvinchuk, the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad — also known as Pravfond and described by Estonian intelligence as a front for the GRU spy agency — and the Center for Geopolitical Expertise, a think-tank run by Russian ultranationalist ideologue Alexander Dugin."
  https://www.securityweek.com/uk-sanctions-russian-and-chinese-firms-suspected-of-being-malign-actors-in-information-warfare/
  https://therecord.media/uk-sanctions-russia-china-entities-information-warfare

• The Big Catch: How Whaling Attacks Target Top Executives
  "When a hedge fund manager opened up an innocuous Zoom meeting invite, he had little idea of the corporate carnage that was to follow. That invite was booby-trapped with malware, enabling threat actors to hijack his email account. From there they moved swiftly, authorizing money transfers on Fagan’s behalf for fake invoices they sent to the hedge fund. In total, they approved $8.7 million worth of invoices in this way. The incident was ultimately the undoing of Levitas Capital, after it forced the exit of one of the firm’s biggest clients."
  https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/

• • Ukrainian Hacker Charged With Helping Russian Hacktivist Groups
    "U.S. prosecutors have charged a Ukrainian national for her role in cyberattacks targeting critical infrastructure worldwide, including U.S. water systems, election systems, and nuclear facilities, on behalf of Russian state-backed hacktivist groups. On Tuesday, 33-year-old Victoria Eduardovna Dubranova (also known as Vika, Tory, and SovaSonya) was arraigned on charges related to her alleged role in NoName057(16), after being extradited to the U.S. earlier this year for supporting CyberArmyofRussia_Reborn (CARR)."
    https://www.bleepingcomputer.com/news/security/ukrainian-hacker-charged-with-helping-russian-hacktivist-groups/
    https://therecord.media/us-extradites-member-of-russian-hacking-groups-critical-infrastructure
    https://cyberscoop.com/us-charges-russian-backed-hacker-critical-infrastructure-attacks-carr-noname05716/
    https://hackread.com/ukraine-woman-us-custody-russia-noname057-hackers/
    https://www.securityweek.com/us-indicts-extradited-ukrainian-on-charges-of-aiding-russian-hacking-groups/
    https://www.theregister.com/2025/12/10/pro_russia_hacktivist_charged/
• • Experience Really Matters - But Now You're Fighting AI Hacks
    "When Anthropic disclosed a cyberespionage campaign conducted largely through an artificial intelligence system, it provided a detailed view of how offensive operations can unfold when an autonomous tool performs most of the technical work. The Cumberland County, Pennsylvania, intrusion still needed human direction, but the operational tasks were executed by an AI system that performed reconnaissance, generated exploits, escalated privileges and moved laterally through the network."
    https://www.bankinfosecurity.com/blogs/experience-really-matters-but-now-youre-fighting-ai-hacks-p-3996
• • Ransomware Victim Warning: The Streisand Effect May Apply
    "Paying off ransomware hackers to avoid notoriety is a losing proposition, finds a study of LockBit victims that identified a correlation between unwanted attention and succumbing to extortionists, as opposed to standing firm. "It seems that paying the ransom doesn't at all appear to reduce public exposure - if anything, it increases it," Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - said in a keynote presentation at the Black Hat Europe conference in London."
    https://www.bankinfosecurity.com/ransomware-victim-warning-streisand-effect-may-apply-a-30247

• Global Cyber Attacks Increase In November 2025 Driven By Ransomware Surge And GenAI Risks
  "In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average of 2,003 cyber-attacks per week. This represents a 3% increase from October, and a 4% rise compared to November 2024. Check Point Research data shows that this steady escalation reflects a threat landscape shaped by intensified ransomware activity, expanded attack surfaces, and the growing exposure risks associated with generative AI tools inside organizations."
  https://blog.checkpoint.com/research/global-cyber-attacks-increase-in-november-2025-driven-by-ransomware-surge-and-genai-risks/

• • list itemOverconfident And Underprepared: IT Leaders Misjudge AI Cyber Risk
    "AI-generated malware is exploding in volume and sophistication. Legacy cyber tools, built on signatures, heuristics, and aging machine learning, are failing spectacularly in this new era of Dark AI. Yet confidence in these legacy cyber tools remains remarkably high, creating a widening disconnect between perception and reality. In this blog, we dig into the results from our new study of 500 U.S. IT professionals, which clearly highlights that IT professionals, especially in management positions, don’t realize just how quickly the new AI-driven threat landscape is shifting beneath their feet."
    https://www.deepinstinct.com/blog/overconfident-and-underprepared-it-leaders-misjudge-ai-cyber-risk
• • HTTPS Certificate Industry Phasing Out Less Secure Domain Validation Methods
    "Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers."
    https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html

• Log4Shell Downloaded 40 Million Times In 2025
  "Tens of millions of downloads of the popular Java logging library Log4j this year were vulnerable to a CVSS 10.0-rated vulnerability that first surfaced four years ago, according to Sonatype. The security vendor claimed 13% of Log4j downloads in 2025 were still vulnerable to Log4Shell, hinting at the challenge of persistent risks in the open source ecosystem. “On one side, there’s unfixed risk: vulnerabilities that never get patched upstream. On the other, there’s corrosive risk: vulnerabilities that do have fixes, but continue to spread because consumers don’t move,” it explained."
  https://www.infosecurity-magazine.com/news/log4shell-downloaded-40-million/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
  "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
  https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

New Tooling

• The Bastion: Open-Source Access Control For Complex Infrastructure
  "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
  https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
  https://github.com/ovh/the-bastion

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
  "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
  https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
  CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Prompt Injection Is Not SQL Injection (it May Be Worse)
  "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
  https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
  https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

Malware

• The VS Code Malware That Captures Your Screen
  "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
  https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
  https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
• Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
  "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
  https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
  https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
• Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
  "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
  https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
  https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
• Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
  "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
  https://news.drweb.com/show/?i=15090&lng=en
  https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
• JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
  "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
  https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
  https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
  https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
• How Phishers Hide Banking Scams Behind Free Cloudflare Pages
  "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
  https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
• AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
  "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
  https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
• LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
  "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
  https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

Breaches/Hacks/Leaks

• Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
  "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
  https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
• Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
  "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
  https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

General News

• FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 To 2024
  "A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021."
  https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
  https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
  https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
  https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013
  https://cyberscoop.com/ransomware-payments-decline-2024-fincen/
  https://www.securityweek.com/ransomware-payments-surpassed-4-5-billion-us-treasury/
  https://securityaffairs.com/185465/cyber-crime/fincen-data-shows-4-5b-in-ransomware-payments-record-spike-in-2023.html
• Poland Arrests Ukrainians Utilizing 'advanced' Hacking Equipment
  "The police in Poland arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using hacking equipment and for obtaining "computer data of particular importance to national defense." The three men, aged between 39 and 43, could not explain why they were carrying the electronic devices. They now face charges of fraud, computer fraud, and possession of devices and software intended for criminal activity. According to the police, the Ukrainians "were visibly nervous" when officers stopped them and said they were heading to Lithuania while traveling around Europe."
  https://www.bleepingcomputer.com/news/security/poland-arrests-ukrainians-utilizing-advanced-hacking-equipment/
• Cyber Threats To The U.S.: What Policymakers Need To Know For 2026
  "Cyber attacks against the United States are no longer isolated events or technical headaches. They are now powerful tools of national strategy used by foreign governments, criminal networks, and ideological groups. A new report explains how these attacks have changed from simple hacks into coordinated campaigns aimed at shaping global politics, weakening U.S. institutions, and putting pressure on American decision-makers. This blog highlights the key takeaways for leaders responsible for national security, public policy, and critical infrastructure resilience."
  https://blog.checkpoint.com/executive-insights/cyber-threats-to-the-u-s-what-policymakers-need-to-know-for-2026/
  https://l.cyberint.com/threats-to-the-homeland-report
• NVIDIA Research Shows How Agentic AI Fails Under Attack
  "Enterprises are rushing to deploy agentic systems that plan, use tools, and make decisions with less human guidance than earlier AI models. This new class of systems also brings new kinds of risk that appear in the interactions between models, tools, data sources, and memory stores. A research team from NVIDIA and Lakera AI has released a safety and security framework that tries to map these risks and measure them inside real workflows. The work includes a new taxonomy, a dynamic evaluation method, and a detailed case study of NVIDIA’s AI-Q Research Assistant. The authors also released a dataset with more than ten thousand traces from attack and defense runs to support outside research."
  https://www.helpnetsecurity.com/2025/12/08/nvidia-agentic-ai-security-framework/
  https://arxiv.org/pdf/2511.21990
• Invisible IT Is Becoming The Next Workplace Priority
  "IT leaders want their employees to work without running into digital hurdles, but many still struggle with fragmented systems that slow teams down. A new report from Lenovo sheds light on how widespread the problem has become and what organizations can do to reduce workplace friction. Hybrid work pushed companies to adopt new tools, devices and management platforms at speed. According to the research, enterprises now manage an average of 897 applications, but only 28 percent are integrated. The report notes that this patchwork environment strains both workers and support teams, since employees must move across several systems before they can resolve problems or complete simple tasks."
  https://www.helpnetsecurity.com/2025/12/08/invisible-it-workplace-priority/
• CISOs Are Spending Big And Still Losing Ground
  "Security leaders are entering another budget cycle with more money to work with, but many still feel no safer. A new benchmark study from Wiz shows a widening gap between investment and impact. Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough."
  https://www.helpnetsecurity.com/2025/12/08/wiz-cybersecurity-spending-priorities-report/
• CISO Conversations: Keith McCammon, CSO And Co-Founder At Red Canary
  "Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey. Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company)."
  https://www.securityweek.com/ciso-conversations-keith-mccammon-cso-and-co-founder-at-red-canary/
• Three Hacking Groups, Two Vulnerabilities And All Eyes On China
  "On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe."
  https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft
• Officials Offer $10M Reward For Information On IRGC-Linked Leader And Close Associate
  "The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. “Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week."
  https://cyberscoop.com/shahid-shushtari-iran-cyber-electronic-command-10m-reward/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
  "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
  https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

New Tooling

• The Bastion: Open-Source Access Control For Complex Infrastructure
  "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
  https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
  https://github.com/ovh/the-bastion

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
  "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
  https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
  CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Prompt Injection Is Not SQL Injection (it May Be Worse)
  "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
  https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
  https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

Malware

• The VS Code Malware That Captures Your Screen
  "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
  https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
  https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
• Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
  "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
  https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
  https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
• Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
  "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
  https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
  https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
• Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
  "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
  https://news.drweb.com/show/?i=15090&lng=en
  https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
• JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
  "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
  https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
  https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
  https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
• How Phishers Hide Banking Scams Behind Free Cloudflare Pages
  "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
  https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
• AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
  "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
  https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
• LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
  "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
  https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

Breaches/Hacks/Leaks

• Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
  "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
  https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
• Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
  "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
  https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

General News

• FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 To 2024
  "A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs. From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021."
  https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
  https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
  https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
  https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013
  https://cyberscoop.com/ransomware-payments-decline-2024-fincen/
  https://www.securityweek.com/ransomware-payments-surpassed-4-5-billion-us-treasury/
  https://securityaffairs.com/185465/cyber-crime/fincen-data-shows-4-5b-in-ransomware-payments-record-spike-in-2023.html
• Poland Arrests Ukrainians Utilizing 'advanced' Hacking Equipment
  "The police in Poland arrested three Ukrainian nationals for allegedly attempting to damage IT systems in the country using hacking equipment and for obtaining "computer data of particular importance to national defense." The three men, aged between 39 and 43, could not explain why they were carrying the electronic devices. They now face charges of fraud, computer fraud, and possession of devices and software intended for criminal activity. According to the police, the Ukrainians "were visibly nervous" when officers stopped them and said they were heading to Lithuania while traveling around Europe."
  https://www.bleepingcomputer.com/news/security/poland-arrests-ukrainians-utilizing-advanced-hacking-equipment/
• Cyber Threats To The U.S.: What Policymakers Need To Know For 2026
  "Cyber attacks against the United States are no longer isolated events or technical headaches. They are now powerful tools of national strategy used by foreign governments, criminal networks, and ideological groups. A new report explains how these attacks have changed from simple hacks into coordinated campaigns aimed at shaping global politics, weakening U.S. institutions, and putting pressure on American decision-makers. This blog highlights the key takeaways for leaders responsible for national security, public policy, and critical infrastructure resilience."
  https://blog.checkpoint.com/executive-insights/cyber-threats-to-the-u-s-what-policymakers-need-to-know-for-2026/
  https://l.cyberint.com/threats-to-the-homeland-report
• NVIDIA Research Shows How Agentic AI Fails Under Attack
  "Enterprises are rushing to deploy agentic systems that plan, use tools, and make decisions with less human guidance than earlier AI models. This new class of systems also brings new kinds of risk that appear in the interactions between models, tools, data sources, and memory stores. A research team from NVIDIA and Lakera AI has released a safety and security framework that tries to map these risks and measure them inside real workflows. The work includes a new taxonomy, a dynamic evaluation method, and a detailed case study of NVIDIA’s AI-Q Research Assistant. The authors also released a dataset with more than ten thousand traces from attack and defense runs to support outside research."
  https://www.helpnetsecurity.com/2025/12/08/nvidia-agentic-ai-security-framework/
  https://arxiv.org/pdf/2511.21990
• Invisible IT Is Becoming The Next Workplace Priority
  "IT leaders want their employees to work without running into digital hurdles, but many still struggle with fragmented systems that slow teams down. A new report from Lenovo sheds light on how widespread the problem has become and what organizations can do to reduce workplace friction. Hybrid work pushed companies to adopt new tools, devices and management platforms at speed. According to the research, enterprises now manage an average of 897 applications, but only 28 percent are integrated. The report notes that this patchwork environment strains both workers and support teams, since employees must move across several systems before they can resolve problems or complete simple tasks."
  https://www.helpnetsecurity.com/2025/12/08/invisible-it-workplace-priority/
• CISOs Are Spending Big And Still Losing Ground
  "Security leaders are entering another budget cycle with more money to work with, but many still feel no safer. A new benchmark study from Wiz shows a widening gap between investment and impact. Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough."
  https://www.helpnetsecurity.com/2025/12/08/wiz-cybersecurity-spending-priorities-report/
• CISO Conversations: Keith McCammon, CSO And Co-Founder At Red Canary
  "Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey. Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company)."
  https://www.securityweek.com/ciso-conversations-keith-mccammon-cso-and-co-founder-at-red-canary/
• Three Hacking Groups, Two Vulnerabilities And All Eyes On China
  "On the main stage at the Pwn2Own hacking competition in Berlin this March, researchers demonstrated it was possible to remotely compromise sensitive information via Microsoft’s on-premise SharePoint software — the first glimpse that the world got of two dangerous software vulnerabilities threatening governments and enterprises around the globe."
  https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft
• Officials Offer $10M Reward For Information On IRGC-Linked Leader And Close Associate
  "The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. “Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week."
  https://cyberscoop.com/shahid-shushtari-iran-cyber-electronic-command-10m-reward/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Telecom Sector

• The Largest Telecommunications Attack In U.S. History: What Really Happened—And How We Fight Back
  "When Senator Ben Ray Luján warned that the United States was facing “the largest telecommunications hack in our nation’s history,” it marked a turning point in how we understand national cyber risk. On December 4, 2024, the White House confirmed a sprawling cyber-espionage campaign targeting 80 global telecom providers across dozens of countries¹. A joint task force—the Operation Enduring Security Framework—was launched by the NSA, Pentagon, and CISA to contain the damage. The adversary behind it: a sophisticated nation-state threat actor Microsoft calls Salt Typhoon, also tracked as Ghost Emperor, FamousSparrow, Earth Estrie, UNC2286, and earlier as LightBasin / UNC1945 / LIMINAL PANDA²⁻⁴."
  https://blog.checkpoint.com/security/the-largest-telecommunications-attack-in-u-s-history-what-really-happened-and-how-we-fight-back/

Vulnerabilities

• Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch
  "A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability."
  https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
  https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.html
• React2Shell Flaw Exploited To Breach 30 Orgs, 77k IP Addresses Vulnerable
  "Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors. React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic."
  https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-55182 Meta React Server Components Remote Code Execution Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
  https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
• PromptPwnd: Prompt Injection Vulnerabilities In GitHub Actions Using AI Agents
  "Aikido Security discovered a new class of vulnerabilities, which we have named PromptPwnd, in GitHub Actions or GitLab CI/CD pipelines when combined with AI agents like Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference in CI/CD pipelines. At least 5 Fortune 500 companies are impacted, with early indicators suggesting the same flaw is likely present in many others."
  https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents
  https://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/
  https://hackread.com/promptpwnd-vulnerabilit-ai-systems-data-theft/
• From Inbox To Wipeout: Perplexity Comet’s AI Browser Quietly Erasing Google Drive
  "Polite emails are supposed to keep work civil, not wipe your Google Drive. In this blog, we’re going to unpack a new zero click agentic browser attack on Perplexity Comet that turns a friendly “please organize our shared Drive” email into a quiet Google Drive wiper, driven entirely by a single trusted prompt to an AI browser assistant. We’ll walk through how the attack works, why tone and task sequencing matter for LLM-driven agents, and what security teams should change now to protect Gmail and Google Drive workflows. This research continues Straiker’s STAR Labs work on agentic AI security and opens our agentic browser series with a focus on browser harm. It builds on prior findings showing how a single email could trigger zero click Drive exfiltration. In this attack we’ll cover, Perplexity Comet followed the polite, step by step instructions as valid workflow, allowing the deletion sequence to run unchecked."
  https://www.straiker.ai/blog/from-inbox-to-wipeout-perplexity-comets-ai-browser-quietly-erasing-google-drive
  https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html
• Novel Clickjacking Attack Relies On CSS And SVG
  "Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). Rebane demonstrated the technique at BSides Tallinn in October and has now published a summary of her approach. The attack, which has yet to be fully mitigated, relies on the fact that SVG filters can leak information across origins, in violation of the web's same-origin policy."
  https://www.theregister.com/2025/12/05/css_svg_clickjacking/
• Attacking LINE Cryptography For Fun And .. Forensics
  "The pursuit of obscure knowledge offers some of the greatest enjoyment, to understand something deeply. That understanding itself is the reward all researchers seek. Sometimes understanding comes with new insights! While looking at End-To-End-Encryption (e2ee) in the LINE messaging application I identified a few key issues in the Key Derivation Function (KDF) used by LINE and found that it had some cascading effects beyond e2ee."
  https://think.501.team/research/Attacking+LINE+Cryptography+for+Fun+and+..+Forensics
• IDEsaster: A Novel Vulnerability Class In AI IDEs
  "We all know AI reshaped how we build software. Autocomplete evolved into AI agents that can autonomously act on behalf of the user. As vendors compete on “productivity” they add additional capabilities that significantly affect the security posture of their products. Around 6 months ago, I decided to dig into the world of AI IDEs and coding assistants because they were gaining popularity and it was clear they are here to stay. The first vulnerabilities I found were focused on narrow components - a vulnerable tool, writeable agent configuration or writeable MCP configuration that leads to anything from data exfiltration to remote code execution. Those issues are serious, but they only affect a single application at a time (and were publicly disclosed multiple times)."
  https://maccarita.com/posts/idesaster/
  https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

Malware

• FBI Warns Of Virtual Kidnapping Scams Using Altered Social Media Photos
  "The FBI warns of criminals altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. This is part of a public service announcement published today about criminals contacting victims via text message, claiming to have kidnapped a family member and demanding ransom payments. However, as the FBI explained, virtual kidnapping scams involve no actual abduction. Instead, criminals use manipulated images found on social networks and publicly available information to create convincing scenarios designed to pressure victims into paying ransoms before verifying that their loved ones are safe."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/
  http://www.ic3.gov/PSA/2025/PSA251205
  https://www.theregister.com/2025/12/05/virtual_kidnapping_scam/
• China-Nexus Cyber Threat Groups Rapidly Exploit React2Shell Vulnerability (CVE-2025-55182)
  "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router. While this vulnerability doesn’t affect AWS services, we are sharing this threat intelligence to help customers running React or Next.js applications in their own environments take immediate action."
  https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
  https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html
  https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
  https://therecord.media/chinese-hackers-exploiting-react2shell-vulnerability-amazon
  https://www.darkreading.com/vulnerabilities-threats/react2shell-under-attack-china-nexus-groups
  https://www.bankinfosecurity.com/chinese-nation-state-groups-tied-to-react2shell-targeting-a-30201
  https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
  https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/
  https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
• Return Of ClayRat: Expanded Features And Techniques
  "In October, the zLabs team first identified the ClayRat Android spyware, a malware capable of stealing SMS messages, call logs, capturing victim photos, initiating calls, and sending mass SMS messages to the victim's contact list. Our continuous monitoring of this malware family has since uncovered a new variant with significantly upgraded capabilities. This updated ClayRat strain now leverages Accessibility Services in addition to exploiting Default SMS privileges. Misusing Accessibility services enables a range of actions, including:"
  https://zimperium.com/blog/return-of-clayrat-expanded-features-and-techniques
  https://hackread.com/clayrat-android-spyware-variant-device-control/
• Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
  "Throughout 2025, CrowdStrike has identified multiple intrusions targeting VMware vCenter environments at U.S.-based entities, in which newly identified China-nexus adversary WARP PANDA deployed BRICKSTORM malware. WARP PANDA exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. In addition to BRICKSTORM, WARP PANDA has also deployed JSP web shells and two new implants for ESXi environments — now named Junction and GuestConduit — during their operations."
  https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/
  https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/
  https://www.securityweek.com/us-organizations-warned-of-chinese-malware-used-for-long-term-persistence/
• Sanctioned But Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue
  "Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders. Alongside research published by our colleagues from Recorded Future and Amnesty, this blog post will shed light on Intellexa’s recent activities, unveil the real-world impact of their surveillance tools, and detail the actions we are taking against this industry."
  https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue
  https://www.infosecurity-magazine.com/news/predator-spyware-intellexa-evades/
  https://www.malwarebytes.com/blog/news/2025/12/leaks-show-intellexa-burning-zero-days-to-keep-predator-spyware-running
• New Prompt Injection Attack Vectors Through MCP Sampling
  "This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. We show that, without proper safeguards, malicious MCP servers can exploit the sampling feature for a range of attacks. We demonstrate these risks in practice through three proof-of-concept (PoC) examples conducted within the coding copilot, and discuss strategies for effective prevention."
  https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/
• Sharpening The Knife: GOLD BLADE’s Strategic Evolution
  "Between February 2024 and August 2025, Sophos analysts investigated nearly 40 intrusions related to STAC6565, a campaign the analysts assess with high confidence is associated with the GOLD BLADE threat group (also known as RedCurl, RedWolf, and Earth Kapre). This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations. Once focused primarily on cyberespionage, GOLD BLADE has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt."
  https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/
• A Hidden Pattern Within Months Of Credential-Based Attacks Against Palo Alto GlobalProtect
  "On 2 December 2025, GreyNoise observed a concentrated spike of 7,000+ IPs attempting to log into Palo Alto Networks GlobalProtect portals. All activity originated from infrastructure operated by 3xK GmbH and targeted two Palo Alto profiles in GreyNoise’s Global Observation Grid (GOG)."
  https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
  https://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/
  https://securityaffairs.com/185382/hacking/attackers-launch-dual-campaign-on-globalprotect-portals-and-sonicwall-apis.html

Breaches/Hacks/Leaks

• Barts Health NHS Discloses Data Breach After Oracle Zero-Day Hack
  "Barts Health NHS Trust, a major healthcare provider in England, announced that Clop ransomware actors have stolen files from one of its databases after exploiting a vulnerability in its Oracle E-business Suite software. The stolen data are invoices spanning several years that expose the full names and addresses of individuals who paid for treatment or other services at Barts Health hospital. Information of former employees who owed money to the trust, and suppliers whose data is already public, has also been exposed, the organization says."
  https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/
  https://hackread.com/barts-health-nhs-cl0p-ransomware-data-breach/
• Data Brokers Are Exposing Medical Professionals, And Turning Their Personal Lives Into Open Files
  "Large amounts of personal information about medical professionals are available on people search sites. A new analysis by Incogni’s researchers shows how much data about doctors appears online and how easily it can be found. The findings should concern healthcare leaders who support staff safety, workforce protection, and clinical operations."
  https://www.helpnetsecurity.com/2025/12/05/incogni-healthcare-staff-data-exposure-report/

General News

• React Flaw Mitigation Leads To Cloudflare Outage
  "Content delivery network giant Cloudflare is investigating a brief outage early Friday that took down multiple websites. The incident marks the second outage in the span of a month, although the company said the causes are unrelated. The incident affected social media platforms LinkedIn and X as well as Zoom and online design platform Canva. Multiple users took to X on Friday morning to report that they were prompted with an internal server error when they visited these websites. Impacted services have since been restored."
  https://www.bankinfosecurity.com/react-flaw-mitigation-leads-to-cloudflare-outage-a-30207
  https://www.securityweek.com/cloudflare-outage-caused-by-react2shell-mitigations/
  https://www.bleepingcomputer.com/news/technology/cloudflare-down-websites-offline-with-500-internal-server-error/
  https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
• Rethinking The CIO-CISO Dynamic In The Age Of AI
  "As artificial intelligence and digital transformation become table stakes for today's enterprises, CIOs and CISOs are being pulled into the spotlight, and the way these two leaders operate is changing. Organizations are beginning to reimagine how these leadership roles should be structured, aligned and empowered as they grapple with regulatory pressures, the unpredictable nature of AI systems and the need for operational resilience in an uncertain business climate."
  https://www.bankinfosecurity.com/rethinking-cio-ciso-dynamic-in-age-ai-a-30211
• Threat Landscape Grows Increasingly Dangerous For Manufacturers
  "Manufacturers continued to be a top target — if not the top target — of financially motivated cyberattacks in 2025, with their sensitivity to operational disruptions and their shortage of expertise and well-designed protections causing issues for the business sector as a whole, experts say. In 2025, half of manufacturers (51%) fell prey to ransomware and paid a ransom, with the average ransom costing $1 million and the average recovery cost (excluding the ransom) approaching $1.3 million, according to data that cybersecurity firm Sophos collected from more than 330 manufacturing organizations."
  https://www.darkreading.com/cyberattacks-data-breaches/threat-landscape-increasingly-dangerous-manufacturers
• CISOs Should Be Asking These Quantum Questions Today
  "This isn't a pitch for a new box or black box. It's a look at how security, compliance, and engineering teams need to evolve as quantum methods quietly move into production workflows. What follows focuses on the practical questions chief information security officers (CISOs), SecOps leaders, and engineering teams should be asking about visibility, validation, and compliance, rather than hardware specs or vendor road maps. Most enterprises aren't running quantum computers. So why should security operations teams care today?"
  https://www.darkreading.com/cybersecurity-operations/cisos-should-be-asking-these-quantum-questions-today
• Building The Missing Layers For An Internet Of Agents
  "Cybersecurity teams are starting to think about how large language model agents might interact at scale. A new paper from Cisco Research argues that the current network stack is not prepared for this shift. The work proposes two extra layers on top of the application transport layer to help agents communicate in a structured way and agree on shared meaning before they act."
  https://www.helpnetsecurity.com/2025/12/05/cisco-research-internet-of-agents-architecture/
  https://arxiv.org/pdf/2511.19699
• Maryland Man Sentenced For N. Korea IT Worker Scheme Involving US Government Contracts
  "A 40-year-old Maryland man has been sentenced to 15 months in prison for his role in a scheme where he allowed North Korean nationals to use his identity to work in software development roles at several U.S. government agencies, including the Federal Aviation Administration (FAA). Minh Phuong Ngoc Vong will also have to serve three years of supervised release as part of his plea agreement with the Justice Department."
  https://therecord.media/north-korea-it-worker-scheme-maryland-man-sentenced
• CheatSheet – A Practical Guide For Securely Using Third-Party MCP Servers 1.0
  "The Practical Guide for Securely Using Third-Party MCP Servers from the OWASP GenAI Security Project provides a detailed framework for safely deploying and managing external Model Context Protocol (MCP) servers. It outlines the unique security risks introduced by connecting AI models to third-party tools and data sources, including tool poisoning, prompt injection, memory poisoning, and tool interference. The guide offers actionable mitigations covering authentication, authorization, client sandboxing, secure server discovery, and governance workflows, emphasizing least-privilege access and human-in-the-loop oversight."
  https://genai.owasp.org/resource/cheatsheet-a-practical-guide-for-securely-using-third-party-mcp-servers-1-0/
  https://www.scworld.com/feature/mcp-servers-emerge-as-new-supply-chain-risk-as-real-attacks-accelerate
• A Tale Of Two CISOs: Why An Engineering-Focused CISO Can Be a Liability
  "QUESTION: What is the difference between an engineering-focused CISO and a holistic CISO, and what does it mean for the organization? David Schwed, COO at SovereignAI: Right now, there is a global CISO hiring spree. AI labs, cryptocurrency exchanges, and financial institutions are competing over the same small pool of security leaders. Also right now, 2025 is on track to be the worst year for digital asset theft, with over $2 billion stolen by midyear and a single $1.5 billion hack of exchange Bybit dominating the losses."
  https://www.darkreading.com/cyber-risk/why-an-engineering-focused-ciso-can-be-a-liability

อ้างอิง
Electronic Transactions Development Agency (ETDA)